GDPR for Beauty Therapists: Handling Client Data Simply

You Collect More Data Than You Realise

Every consultation form, booking record, and treatment note you hold is personal data. Under UK GDPR, that means you have legal responsibilities — even as a sole trader or small salon. The good news is that for most beauty businesses, compliance is straightforward if you know what to focus on.

This guide is an overview, not legal advice. If you have specific concerns about your data practices, it's worth speaking to a professional or consulting the ICO website directly.

Register With the ICO

If you process personal data as part of your business — which you almost certainly do — you're likely required to register with the Information Commissioner's Office (ICO) and pay the annual data protection fee. For most small businesses this is £40 per year, though some exemptions apply.

Check your status at ico.org.uk. It takes about ten minutes to register if needed.

What Data Do You Actually Hold?

Think through everything you collect:

• Names, addresses, phone numbers, email addresses
• Date of birth
• Medical history, allergies, and health conditions recorded on consultation forms
• Photos taken before or after treatments
• Payment records
• Booking history and treatment notes

Health information is classed as "special category data" under GDPR, which means it requires extra care. You need a lawful basis for holding it, and explicit consent is often the clearest route for beauty businesses.

Getting Consent Right

Your consultation form is the natural place to obtain consent. Include a clear statement explaining:

• What data you're collecting
• Why you're collecting it (providing beauty treatments and maintaining client records)
• How you'll store it
• How long you'll keep it
• That they can request to see or delete their data

Clients should sign or tick to confirm they agree. Avoid pre-ticked boxes — consent must be active.

Storing Data Securely

Paper forms should be kept in a locked filing cabinet. Digital records should be password-protected. If you use a booking system or CRM, check it's GDPR-compliant and based in the UK or an approved country.

Don't keep client data in a shared Google Sheet without proper access controls. Don't store sensitive health information in unencrypted emails. Sounds basic, but these are the most common gaps.

How Long Should You Keep Records?

There's no single legal answer, but common guidance for beauty businesses is to retain client records for at least three years after the last appointment (longer if the client is a minor — some advisors suggest until they turn 21). After that, securely delete or dispose of records.

Build a review process into your calendar — once a year, check for records you can clear.

Responding to a Data Subject Request

If a client asks to see what data you hold about them, you must provide it within one calendar month at no charge. If they ask you to delete their data, you generally must comply — unless you have a legitimate reason to retain it (such as an ongoing dispute).

Keep a simple log of any requests you receive and how you responded.

Using Client Photos

Photos taken for before-and-after purposes require specific consent. Your consultation form or a separate photo consent form should state clearly what the photos will be used for — internal records only, or social media as well. Clients can consent to one without the other.

Never post a client's image on social media without explicit written permission. This is one of the most common GDPR complaints in the beauty industry.

GDPR doesn't have to be overwhelming. With clear forms, secure storage, and a straightforward consent process, most small beauty businesses can handle it confidently.

Professional beauty business forms, ready to use — from £29/yr.