Client briefs, planning documents, and site photography — architectural practices collect more personal data than most partners realise, and GDPR applies to all of it.
Architectural practices handle an unusual volume of personal data. Client names, home addresses, financial details, planning consultation responses from neighbours, site photography that may capture individuals — all of this is personal data under GDPR, and all of it requires a lawful basis to collect and process.
Many practices assume that because they work in the built environment — in blueprints, CAD files, and planning codes — GDPR is primarily a concern for tech companies. It isn't. If your practice processes personal data about individuals, GDPR applies. This guide covers what you need to know.
Architectural Practices as Data Controllers
An architectural practice is a data controller whenever it determines the purposes and means of processing personal data. In practice, this applies to almost everything you do with client information.
When a client engages your practice for a residential extension, you collect their name, address, contact details, and financial information. You hold those details in your project management system, your accounting software, and your email archive. You determine how long to keep them, who has access, and what they're used for. That makes you the data controller — and it means GDPR obligations apply directly to your practice.
Types of Personal Data Architectural Practices Hold
Client Data
Client records typically include full names and home addresses, email addresses and phone numbers, financial details (invoices, payment schedules, fee agreements), and brief documents containing personal aspirations, family circumstances, and lifestyle information.
Brief documents in particular can be surprisingly personal. A residential client explaining that they need a ground-floor bedroom due to mobility issues may inadvertently share health-related information. Under GDPR, health data is special category data and attracts additional protections.
Planning Application Data
When you submit a planning application on behalf of a client, the local planning authority publishes the application and invites public consultation. Neighbours and third parties may respond with objections — and their responses contain personal data: names, addresses, and often strong personal opinions.
If you download, store, or process those consultation responses, you are processing the personal data of individuals who responded to a statutory process. You need a lawful basis — in most cases, legitimate interests.
Site Photography and Drone Surveys
Site photography is increasingly routine in architectural practice. Where photography captures identifiable individuals — a neighbour walking past, a homeowner in their garden — those images are personal data under GDPR.
Drone surveys present a particular challenge. A drone survey may inadvertently capture images of neighbouring properties and individuals going about their daily lives. GDPR applies to the personal data captured in drone footage regardless of whether the flight was lawful under aviation rules.
Contractor and Subcontractor Data Sharing
A typical project involves structural engineers, M&E consultants, quantity surveyors, specialist contractors, and project managers. Each of these parties may receive personal data — client contact details, brief documents, correspondence.
For design team members acting independently, these parties are typically separate data controllers. For contractors processing data solely on your instructions, they are likely data processors, and GDPR requires a Data Processing Agreement (DPA) in place.
BIM Platforms and Cloud-Based Data Processing
Building Information Modelling (BIM) platforms — Autodesk Revit, ArchiCAD, Vectorworks cloud collaboration tools — increasingly involve storing project data in the cloud. When that project data contains personal information, it is being processed by the platform provider.
The platform provider is acting as a data processor on your behalf. Under GDPR, you need a Data Processing Agreement with the platform provider and adequate transfer mechanisms if data is processed outside the UK or EU.
Data Retention: RIBA Guidelines, Indemnity Insurance, and GDPR
Architectural practices face a genuine tension between professional obligation and GDPR's storage limitation principle.
Professional indemnity insurance typically covers claims made within the policy period, often six years after project completion. The Limitation Act 1980 gives a twelve-year limitation period for claims under deed. Many practices retain project records for at least twelve years.
RIBA guidance suggests retaining project documentation for a minimum of six years after practical completion.
GDPR's storage limitation principle requires that personal data not be kept for longer than necessary. You can reconcile these obligations by defining a formal data retention policy and anonymising client contact details after the liability period expires while retaining design documentation.
Compliance Checklist
Sole Practitioners
- Privacy notice: Publish a privacy notice covering what personal data you collect and individuals' rights
- Lawful basis: Identify the lawful basis for each processing activity
- Consent for marketing: Ensure valid consent or soft opt-in for marketing emails to individual clients
- Processor agreements: Ensure DPAs are in place with tools you use
- Data retention policy: Define and apply retention periods for different record types
- DSAR process: Know how to respond within 30 days
- Photography and drones: Review site photography before storage or publication
Mid-Size Practices (3+ staff)
Everything above, plus Records of Processing Activities (ROPA), audited DPAs with all sub-consultants, staff training, a data breach response plan, and Privacy Impact Assessments for new technology.
Start with a Free Scan
If your practice website includes contact forms, newsletter signup, or embedded tools like Google Maps or Calendly, it is likely collecting more personal data than your privacy notice describes.
Run a free website scan at Custodia — no account required. You'll see every tracker, cookie, and third-party connection active on your site within 60 seconds.
From there, Custodia can generate an accurate privacy policy, configure a GDPR-compliant cookie consent banner, and provide a DSAR intake form with deadline tracking built in. Plans start at £24/month.
Last updated: March 2026
Top comments (0)