GDPR for Self-Employed Beauty Workers
You are a sole trader doing nails, hair, facials, or lashes. You might think data protection law is for big companies, not you. It is not. If you hold client names, phone numbers, addresses, medical details, or photos on your phone, in a notebook, or on any system - you are a data controller under UK GDPR. And you have legal obligations.
This guide explains what those obligations are, in plain English, without the jargon.
Quick Rule of Thumb
If you store any information about a client that could identify them - even just a name and phone number - you are processing personal data and UK GDPR applies to you. Yes, even if you are a sole trader. Yes, even if it is just in your phone contacts.
Tip for new starters: Register with the ICO in your first week. It costs £40 per year and takes 10 minutes online. Forgetting to register is a criminal offence and the ICO can fine you up to £4,350. Do not put it off.
Are You a Data Controller?
Almost certainly yes.
A data controller is anyone who decides WHY and HOW personal data is processed. If you decide to collect client names, phone numbers, allergy information, and treatment records - you are the data controller. It does not matter that you are a sole trader with 30 clients. The rules apply.
ICO Registration
The Information Commissioner's Office (ICO) is the UK's data protection regulator. Most organisations that process personal data must register with the ICO and pay an annual fee.
Do you need to register?
If you process personal data (and you do - client records, contact details, consultation cards), you almost certainly need to register.
The fee
For most sole traders and micro-organisations (fewer than 10 staff, turnover under £632,000):
£40 per year (paid by direct debit, or £55 if you pay by other methods).
How to register
Go to ico.org.uk/registration and use the self-assessment tool. It takes about 10 minutes. You can pay by direct debit for the lowest fee.
What happens if you do not register?
The ICO can fine you up to £4,350 for failing to pay the fee. They do check. They do issue fines. It is not worth the risk for £40 a year.
Exemptions
There is a limited exemption if you only process personal data for:
- Staff administration (but you are a sole trader, so this is unlikely to be relevant)
- Advertising, marketing, and public relations (only if for your own business and the data subjects have consented)
- Accounts and records
If ALL of your processing falls into these exempt categories, you may not need to register. But in beauty, you almost certainly process health data (allergies, skin conditions, pregnancy status) which is NOT covered by these exemptions. Register. It is £40.
What Counts as Personal Data in Beauty?
Personal data is any information that can identify a living person, directly or indirectly.
In your beauty business, this includes:
| Data type | Personal data? | Special category? |
|---|---|---|
| Client name | Yes | No |
| Phone number | Yes | No |
| Email address | Yes | No |
| Home address | Yes | No |
| Date of birth | Yes | No |
| Photos of the client | Yes | No (usually) |
| Allergies | Yes | Yes - health data |
| Skin conditions | Yes | Yes - health data |
| Medications | Yes | Yes - health data |
| Pregnancy status | Yes | Yes - health data |
| Medical history (on consultation cards) | Yes | Yes - health data |
| Patch test results | Yes | Yes - health data |
| Racial or ethnic origin | Yes | Yes |
| Religious beliefs (e.g., dietary/product preferences) | Yes | Yes |
Special Category Data: The Big One
Health data is "special category" data under Article 9 of UK GDPR. This means it gets extra protection. You cannot process it on the basis of "legitimate interest" alone. You need a specific legal basis.
For most beauty workers, the appropriate legal basis for processing health data is explicit consent (Article 9(2)(a)).
What does explicit consent mean?
- The client must actively agree (opt in) - you cannot assume consent
- The consent must be specific - "I consent to you recording my allergy information for treatment purposes"
- The consent must be informed - the client must know what you are recording and why
- The consent must be freely given - the client must have a genuine choice
- You must keep a record of the consent
In practice:
Include a consent statement on your consultation card. Something like:
"I consent to [your name/business name] recording the health and medical information I have provided on this form. This information will be used to ensure safe treatment and will be stored securely. I understand I can withdraw my consent at any time."
The client signs it. You keep it. Done.
Privacy Notice
You need a privacy notice - a clear statement telling people what data you collect, why, and what you do with it.
What it should include:
- Your name and contact details (the data controller)
- What data you collect (names, phone numbers, health information, photos, etc.)
- Why you collect it (to provide treatments safely, to contact them about appointments, marketing if they have consented)
- The legal basis for processing (consent for health data, legitimate interest for basic contact info, consent for marketing)
- How long you keep it (retention periods - see our record-keeping guide)
- Who you share it with (booking systems, payment processors, your accountant)
- Their rights (access, deletion, correction, objection)
- How to complain (to you first, then to the ICO)
Where to display it:
- On your website or booking page (if you have one)
- A printed copy in your workspace
- Available on request
- Ideally, a link in your booking confirmation messages
You do not need a solicitor to write a privacy notice. The ICO has a template you can adapt. Keep it simple and honest.
The Right to Be Forgotten (Right to Erasure)
If a client asks you to delete all their data, you must comply - unless you have a legal reason to keep it.
When you must delete:
- The client withdraws consent (and consent was your legal basis)
- The data is no longer needed for the purpose it was collected
- The client objects and you have no overriding legitimate reason to keep it
When you can refuse to delete:
- You need the records for a legal claim (insurance purposes - keep treatment records for at least 7 years)
- You are required by law to keep certain records (HMRC requires financial records for 5 years)
- The data is needed for public health purposes
In practice:
If a client asks you to delete their data:
- Delete their marketing data immediately (remove from mailing lists, delete their contact from your marketing tools)
- Explain that you need to keep treatment records for insurance purposes (7 years) and financial records for HMRC (5 years)
- Delete anything else - photos, personal notes, social media content featuring them
- Confirm in writing what you have deleted and what you have kept (and why)
Client Photos
Photos are a huge part of beauty marketing. Before/after shots, portfolio work, social media content. But photos of identifiable people are personal data.
What you need:
Explicit consent. Not just "they didn't say no." Active, documented agreement.
Your consent form (or section on your consultation card) should cover:
- What photos you will take
- What you will use them for (portfolio, social media, website, marketing materials)
- Where they will be published (Instagram, Facebook, your website, etc.)
- Whether the client's face will be visible
- How long you will use them
- That the client can withdraw consent at any time
Key points:
- A client can consent to photos for your portfolio but NOT for social media - they are separate uses
- If a client withdraws consent, you must remove the photos from wherever they are published (this includes deleting Instagram posts)
- Before/after photos must not be misleading (ASA rules apply)
- If the client is under 18, you need parental consent
Tagging clients on social media:
This shares their personal data publicly. Get consent before tagging. Better yet, let the client tag themselves.
WhatsApp and Data Protection
WhatsApp is the de facto communication tool for many beauty businesses. But there are GDPR implications.
WhatsApp is a data processor
When you use WhatsApp to communicate with clients, WhatsApp (Meta) is processing personal data on your behalf. Under UK GDPR, you should have a data processing agreement with any processor. WhatsApp's Terms of Service act as this agreement, but it is worth being aware.
Risks:
- Messages are stored on WhatsApp's servers (which are operated by Meta, a US company). EU/UK GDPR has restrictions on transferring data outside the UK. Meta relies on standard contractual clauses, but this is a grey area.
- If you lose your phone, all client messages (including health information) are accessible to whoever finds it. That is a data breach.
- Group chats - adding clients to group chats shares their phone number with other participants. That is sharing personal data without consent.
- WhatsApp broadcast lists - if you use these for marketing, you need opt-in consent from every recipient.
What to do:
- Enable encryption (WhatsApp has end-to-end encryption by default)
- Set a strong phone lock (PIN, fingerprint, face ID)
- Enable remote wipe capability on your phone
- Do not add clients to group chats without their consent
- Consider whether WhatsApp is appropriate for sharing sensitive health information - a dedicated booking system with proper security might be better
Data Breaches
A data breach is any security incident that affects the confidentiality, integrity, or availability of personal data. In plain English: data getting into the wrong hands, or being lost or destroyed.
Examples in beauty:
- You lose your phone and it contains client data (names, numbers, health records, photos)
- Your laptop is stolen with client records on it
- You accidentally send a client's consultation card to the wrong person
- Your booking system is hacked
- You leave consultation cards visible to other clients
What to do if a breach happens:
- Contain it. Lock your phone remotely. Change passwords. Retrieve the lost data if possible.
- Assess the risk. What data was affected? How many people? Is there a risk of harm (financial loss, discrimination, distress)?
- Report to the ICO if the breach is likely to result in a risk to people's rights. You must report within 72 hours of becoming aware of the breach. Report at ico.org.uk.
- Tell the affected clients if the breach is likely to result in a high risk to them.
- Document it. Record what happened, what data was affected, and what you did about it.
When you must report to the ICO:
Not every breach needs reporting. If you leave a consultation card on the bus and it is returned to you within an hour with no evidence anyone read it, you probably do not need to report it (but document it internally).
If your phone with 200 clients' health records is stolen and you cannot remotely wipe it - you need to report it.
When in doubt, report. The ICO would rather receive an unnecessary report than not receive a necessary one.
Practical GDPR Checklist for Beauty Workers
- Register with the ICO (£40/year) - ico.org.uk/registration
- Write a privacy notice and display it (website, booking system, or printed copy)
- Add a consent statement to your consultation cards covering health data
- Get separate explicit consent for photos and marketing
- Secure your phone with a strong lock and remote wipe
- Store paper records in a locked cabinet or drawer
- Set data retention periods (treatment records: 7 years, financial records: 5 years, marketing consent: ongoing)
- Have a process for handling data subject requests (deletion, access, correction)
- Know what to do if you have a data breach (contain, assess, report if necessary)
- Review your booking system and communication tools for GDPR compliance
What To Do Next
- Register with the ICO if you have not already. Go to ico.org.uk/registration. It takes 10 minutes and costs £40.
- Update your consultation cards to include a consent statement for health data.
- Write a simple privacy notice. The ICO has templates you can adapt.
- Secure your phone. Strong lock, remote wipe enabled, encrypted backup.
- Review your photo consent process. Make sure you have documented consent for every client photo you use in marketing.
- Lock up paper records. A lockable filing cabinet or drawer is fine.
Tip for new starters: Set a strong passcode on your phone and enable remote wipe from day one. Your phone contains client names, numbers, health information, and photos. If you lose it without a lock on it, that is a data breach you will need to report to the ICO within 72 hours.
Who To Contact
- ICO - 0303 123 1113 (Free) - ico.org.uk - data protection regulator
- ICO registration - ico.org.uk/registration (Free to use, £40/year fee)
- ICO breach reporting - ico.org.uk/make-a-complaint/data-protection-complaints/data-protection-complaints/ (Free)
- Citizens Advice - 0800 144 8848 (Free) - citizensadvice.org.uk
- NHBF - nhbf.co.uk - industry guidance on GDPR (Paid, members only)
Sources
- UK General Data Protection Regulation (UK GDPR)
- Data Protection Act 2018
- ICO guidance for small organisations
- ICO guidance on consent
- ICO guidance on special category data
- ICO guidance on data breach reporting
- Privacy and Electronic Communications Regulations 2003 (PECR)
Related Guides
- Client Record-Keeping: What You Must Store
- Marketing Compliance: Email, SMS, and Social Media
- Handling Client Complaints Professionally
- What To Do When Clients Threaten Legal Action
- Booking Software Compared: What Self-Employed Workers Need
📢 Sponsorship available — Learn more
Key Contacts
ICO
0303 123 1113 - ico.org.uk - data protection regulatorFree
ICO registration
ico.org.uk/registration (Free to use, £40/year fee)
ICO breach reporting
ico.org.uk/make-a-complaint/data-protection-complaints/data-protection-complaints/Free