GDPR for Architects and Design Firms: How to Handle Client and Project Data Compliantly
Architects and interior designers collect some of the most intimate personal data in any profession — not financial data in the abstract sense, but detailed knowledge of how people live inside their homes. Floor plans reveal room layouts, sleeping arrangements, and security features. Site photographs capture domestic life. Client files hold addresses, budgets, and family circumstances. If you operate in the UK or EU, all of this is personal data regulated by GDPR (or UK GDPR post-Brexit), and you need a lawful basis to hold and use it.
This guide sets out what architects, interior designers, and design studio owners need to know — from the data you collect on day one of a project to how long you can keep files after practical completion.
What Personal Data Do Architects and Design Firms Collect?
Before you can manage data compliantly, you need to know what you actually hold. Most practices are surprised how much personal data flows through a typical project.
Client contact and identity data: Names, email addresses, phone numbers, and postal addresses are collected at the first enquiry stage. For residential clients, this is always personal data. For corporate clients, it depends on whether you hold data relating to named individuals within the company.
Financial data: Fee proposals, invoices, payment records, and bank details. For residential commissions, these reveal household income and spending in granular detail.
Property and home address data: You hold not just a client's contact address but detailed knowledge of their primary residence — its layout, access points, structural features, and security arrangements. A full set of as-built drawings is, in practice, a blueprint for someone's home.
Floor plans and spatial data: These reveal living arrangements, bedroom counts, and sometimes information about household members — children's rooms, accessibility adaptations for elderly relatives, or medical equipment spaces. ICO guidance makes clear that information which allows inference about household composition or personal circumstances is personal data even if names are not attached.
Photographs of client homes: Interior and exterior photography for case studies, planning applications, or project records captures personal domestic environments. Where a photograph identifies a property (which most exterior shots do, via address or recognisable features), it constitutes personal data relating to the occupant.
Drone photography: Aerial survey imagery of residential properties raises specific GDPR considerations. Drones capture not only the subject property but neighbouring gardens, outdoor spaces, and potentially individuals going about daily life. This is personal data relating to third parties who have not consented to being photographed.
Staff and consultant data: Names, contact details, CVs, RIBA/ARB registration numbers, professional indemnity certificate references, and payroll information for employees and sub-consultants.
Lawful Basis for Processing Client Project Data
Under GDPR Article 6, you need a lawful basis to process personal data. For architects and designers, the primary basis for client project data is contract (Article 6(1)(b)): you are processing the data because it is necessary to perform the contract you have entered into with the client.
This covers collecting contact details, using the address for site visits and planning applications, sharing drawings with contractors for construction, and holding payment records for invoicing.
What contract does not cover:
- Processing client home photographs for your own marketing portfolio
- Publishing case studies that identify a property or client
- Using client contact details to send newsletters or promotional content
- Retaining files beyond what professional indemnity obligations require
For these activities, you need a separate lawful basis — typically consent (Article 6(1)(a)) for publishing photographs or case studies, and legitimate interest (Article 6(1)(f)) for some forms of ongoing communication, provided it passes the three-part balancing test.
Project Management Software as Data Processors
Most practices use at least one project management platform to manage tasks, document exchange, and client communications. Under GDPR, these platforms are data processors — they process personal data on your behalf, under your instruction.
Common platforms used by design and architecture firms include:
Deltek (Vantagepoint / Vision): A practice management platform widely used by larger architecture firms for project accounting, resource planning, and CRM. Deltek acts as a data processor. You need a Data Processing Agreement (DPA) with Deltek, and you should confirm the data hosting location — if data is held outside the EEA, you need to ensure adequate transfer safeguards are in place.
ArchiSnapper: A field reporting tool used for site inspections, punch lists, and snag lists. Reports include site photographs and often the property address. ArchiSnapper processes this data as your processor. Review their DPA and data retention settings.
Buildertrend: Used by design-build firms and contractors for project management, client communication, and scheduling. Client personal data flows through Buildertrend, making it a processor. Confirm DPA coverage and data hosting jurisdiction.
Houzz Pro: Widely used by interior designers for mood boards, client collaboration, and project management. Client data uploaded to Houzz Pro — including contact details and project communications — is processed by Houzz. Review their business terms for DPA provisions and data portability.
For each platform you use, you should: confirm a DPA is in place (most major platforms provide these on request or through their terms of service); record the platform in your Records of Processing Activities (RoPA); and check whether data is processed outside the EEA and what safeguards apply.
Sharing Plans with Contractors and Sub-Consultants: The Processor Chain
Architecture projects involve multiple parties — structural engineers, mechanical and electrical consultants, planning consultants, contractors, and specialist sub-contractors. When you share client data with these parties, GDPR governs how you do it.
Other professional consultants (structural engineers, MEP engineers, planning consultants) are typically acting as independent data controllers — they receive client data to perform their own professional services and have their own obligations under GDPR. You should include appropriate data sharing provisions in appointment letters, and your privacy notice should identify categories of recipient.
Contractors and sub-contractors who receive drawings and specifications for construction purposes are often best treated as processors — they process the data (the project documentation) under your instruction for the purpose of building out your design. Larger main contractors will typically have their own GDPR positions; your contract should address data handling.
Sub-consultants you engage directly — specialist lighting designers, acoustic consultants, landscape architects — receive client data as part of delivering services. Your appointment agreements with them should include data processing provisions or confirm their independent controller status.
The practical steps: document who receives client data and on what basis in your RoPA; include data handling clauses in all consultant and contractor appointments; and ensure your privacy notice describes the categories of third parties with whom you share client data.
Drone Photography and GDPR
Drone surveys are increasingly common in architecture — for site surveys, photogrammetry, progress monitoring, and marketing imagery. GDPR applies whenever a drone captures images that can identify individuals or properties.
For residential sites: Aerial photography of a client's home is personal data relating to the client. You should address drone photography in your client appointment and privacy notice. If you plan to use the imagery for marketing purposes beyond the project, you need explicit consent.
For neighbouring properties: Drone cameras inevitably capture images of adjacent properties, gardens, and — sometimes — people. This is processing of personal data relating to third parties who have not consented. The Information Commissioner's Office (ICO) has published guidance on drone use: you should minimise capture of neighbouring properties, avoid filming people, and not retain third-party property imagery longer than necessary for the project purpose.
For planning purposes: Drone imagery submitted as part of a planning application becomes part of the public planning record. Be aware that this creates a public disclosure of imagery relating to neighbouring properties.
CAA compliance: UK Civil Aviation Authority rules on drone operation are separate from GDPR but intersect with it — operating in residential areas requires specific permissions that, when obtained, also reflect on your lawful basis for capturing imagery.
Planning Applications and Public Disclosure of Addresses
When you submit a planning application, the local authority publishes the application — including the site address, applicant details in some cases, and the application documents — on a public planning register. This is a legal obligation and constitutes processing under a legal obligation (Article 6(1)(c)).
However, this public disclosure has implications:
- Client home addresses become part of a permanent public record
- Supporting documents, including existing floor plans, may be published online
- Third parties may access and aggregate this information
You should inform residential clients of this in your privacy notice and appointment documentation. It is good practice to discuss with clients what information they are comfortable having in the public planning record — for example, whether existing floor plans showing full layouts need to be submitted, or whether a site plan at a less revealing scale would suffice.
For listed building applications, historic building records, and heritage statements, the same public disclosure applies.
Client Photo Portfolios and Published Case Studies
Publishing project photographs on your website, in award submissions, or in professional journals is common practice. Under GDPR, you need a clear lawful basis and — where the images identify a residential property or its occupants — consent is typically the appropriate basis.
What requires consent:
- Publishing exterior photographs that identify a specific property by address or recognisable features
- Publishing interior photographs from a residential property
- Any case study that names the client or includes identifiable details
- Social media posts featuring client homes
How to obtain valid consent: Consent under GDPR must be freely given, specific, informed, and unambiguous. A verbal agreement or general approval in a client satisfaction email is not valid GDPR consent. You need a written record of what the client agreed to — specifically, that they consent to photographs of their property being used for your marketing, on your website, in award submissions, and/or in editorial features. Keep a record of consent alongside the project file.
Withdrawal of consent: Clients have the right to withdraw consent at any time. You should have a process for removing images from your website and portfolio materials if a client withdraws consent, and you should tell clients this right exists when you collect consent.
Commercial projects: For commercial clients, photographs of the building are less likely to constitute personal data about identifiable individuals, but check whether the client organisation has confidentiality expectations about interior layouts before publishing.
Staff Data: RIBA/ARB Registration and Professional Records
Architecture practices process significant volumes of staff personal data beyond standard HR records.
Professional registration data: ARB (Architects Registration Board) registration numbers, RIBA membership numbers, and associated CPD records are personal data. These are typically processed under contract (employment or contractor agreements) and legitimate interest for professional compliance purposes.
Continuing Professional Development (CPD) records: Detailed CPD logs, training records, and professional development plans are personal data. They should be held securely, shared only as necessary (for example, with clients who require evidence of professional competence), and retained only as long as relevant.
PI insurance certificates: Individual PI certificates naming employees or directors are personal data. Handle appropriately and avoid distributing more widely than necessary.
RIBA practice accreditation: If your practice holds RIBA Chartered Practice status or other accreditations, the associated records of named individuals should be handled as personal data.
For all staff data, your legal basis is primarily contract (for employment data) and legal obligation (for statutory requirements). Document your retention periods — ARB requires registration records to be maintained, but there are limits on how long you retain other employment records post-departure.
Retaining Client Project Files: Professional Indemnity vs. GDPR Storage Limitation
This is one of the most practically significant tensions for architects. GDPR's storage limitation principle requires that personal data is not kept longer than necessary for the purpose. Professional practice, however, requires retaining project files for the duration of the professional indemnity (PI) limitation period.
The PI retention period: In the UK, claims in contract can be brought up to six years after practical completion; claims in tort can be brought up to fifteen years (under the Latent Damage Act 1986). Most architecture practices retain project files for at least 12-15 years for PI purposes, with some practices retaining indefinitely. RIBA guidance has historically suggested 15 years as a minimum.
The GDPR position: Retaining personal data for PI purposes is a legitimate purpose — professional indemnity obligations represent a clear legal and legitimate business need that justifies retention beyond what the original project purpose strictly required. This should be documented in your privacy notice and your data retention policy.
What to do in practice:
- Document your retention periods by category in a data retention policy
- Be specific: client contact details held in CRM vs. full project files vs. financial records may have different justifiable retention periods
- Where you retain for PI purposes, record this as the justification
- After the retention period expires, delete or anonymise the data — do not retain indefinitely by default
- Consider whether all data in a project file needs to be retained for PI purposes, or whether some elements (for example, marketing correspondence) can be deleted earlier
GDPR Compliance Checklist for Architects and Design Firms
Use this checklist to assess your current position:
Privacy notice and documentation
- Privacy notice published on your website covering all processing activities
- Client-facing privacy notice provided at appointment stage
- Records of Processing Activities (RoPA) maintained and up to date
- Data retention policy documented with justified retention periods by category
Client data
- Lawful basis identified for each category of client data processing
- Consent obtained in writing before publishing photographs or case studies
- Consent withdrawal process in place and communicated to clients
- Planning application disclosure explained to clients in advance
Project management software and processors
- Data Processing Agreements in place with all software platforms
- International data transfers reviewed and safeguards confirmed
- Processors listed in your RoPA
Consultant and contractor chain
- Data handling provisions included in all consultant and contractor appointments
- Sharing arrangements with independent controllers documented
- Third-party recipient categories described in your privacy notice
Drone photography
- Drone photography policy documented
- Consent obtained for residential drone surveys used in marketing
- Third-party property imagery minimised and not retained beyond project need
Staff data
- Employment contracts and HR policies address data handling
- RIBA/ARB registration data held securely
- Retention periods for post-employment records documented
Security
- Project files encrypted at rest and in transit
- Access controls limiting who can access client files
- Incident response procedure in place for data breaches
Ready to See What Your Practice's Website Is Collecting?
Your website may be collecting and transmitting personal data through analytics platforms, embedded tools, and third-party scripts that you haven't fully mapped. Before you can describe your website data practices accurately in a privacy notice, you need to know what's actually running.
Scan your website free at https://app.custodia-privacy.com/scan — no signup required, results in 60 seconds.
This post provides general information about GDPR as it applies to architecture and design practices. It does not constitute legal advice. Data protection obligations vary by jurisdiction, the specific nature of your practice, and the projects you undertake. Consult a qualified data protection lawyer or RIBA-affiliated DPO for advice specific to your situation.
Top comments (0)