GDPR for Barbers: A Complete Compliance Guide

Why GDPR Applies to Barbers

If you run a barbershop or work as a barber, you might assume GDPR is something that only applies to large corporations or online businesses. That assumption is wrong — and potentially costly. The UK GDPR (which continues to apply in the UK post-Brexit) and the EU GDPR both apply to any organisation or sole trader that collects, stores, or uses personal data about individuals.

Every time you take a customer's name and phone number to make a booking, store their service preferences, record their contact details for a loyalty card, or film your shop's interior with CCTV, you are processing personal data. That makes you a data controller under GDPR, with legal obligations you must meet.

The Information Commissioner's Office (ICO) has made clear that small businesses are not exempt from GDPR. While the fines levied on barbers are unlikely to reach the multi-million pound figures seen in high-profile cases, the ICO can still issue enforcement notices, require audits, and impose meaningful penalties for non-compliance. More importantly, your customers have the right to know how you handle their data — and increasingly, they care.

What Data Do Barbers Typically Collect?

Barbers collect more personal data than many realise. The categories typically include:

• Contact details — names, phone numbers, email addresses, sometimes home addresses for mobile barbers or home visit services.
• Booking information — appointment dates, times, services booked, preferred barber or chair, frequency of visits.
• Service history — the cuts, colours, treatments a customer has had, style preferences, product sensitivities or allergies.
• Payment data — card payment records (though if you use a third-party processor like Square, Stripe, or SumUp, they handle the sensitive card data, not you).
• Loyalty scheme data — visit counts, points balances, redemption history.
• Marketing opt-in records — whether a customer has consented to receive SMS messages, WhatsApp messages, or email newsletters.
• CCTV footage — if you have cameras in or around your shop, footage of customers is personal data.
• Staff records — employment contracts, payroll data, DBS check results, right-to-work documents, NI numbers.

Lawful Basis for Processing Customer Data

GDPR requires every act of data processing to have a lawful basis. For barbers, the most relevant are:

Contract Performance

When a customer books an appointment — whether online, over the phone, or in person — you need their contact details to fulfil that booking. Holding their name and phone number is necessary to perform the contract (the appointment). This is the contract performance lawful basis, and it means you don't need to ask for separate consent to store basic booking data.

Legitimate Interests

Keeping a record of a customer's service history, preferred cut, or product allergies is in your legitimate interest as a business — it allows you to provide a better service — and it's also arguably in the customer's interest. This can typically be justified under the legitimate interests basis, provided the processing is proportionate and doesn't override the individual's rights.

You should document a Legitimate Interests Assessment (LIA) for any processing you rely on this basis for. The ICO provides templates you can adapt.

Consent

For marketing communications — SMS messages, WhatsApp promotions, email newsletters — you need explicit, freely given consent. This means customers must actively opt in (a pre-ticked box does not count). You must record when consent was given, and customers must be able to withdraw it easily at any time.

Walk-In vs. Appointment Customers

Many barbershops serve a mix of walk-in and appointment customers. These groups have different data implications.

Walk-In Customers: If a customer walks in, sits down, and pays without giving you any personal information, you may not collect any personal data at all — GDPR doesn't apply to anonymous transactions. However, if you have CCTV, loyalty card sign-ups at the till, or take a name to add someone to a waiting list, data processing begins.

Appointment Customers: Customers who book in advance provide more data and have clearer GDPR obligations attached. They should receive a privacy notice at the point of booking, informing them of how their data will be used, how long it will be kept, and their rights under GDPR.

Booking Apps and Third-Party Processors

Many barbers use booking platforms like Treatwell, Booksy, Fresha, Square Appointments, or Vagaro. These platforms process personal data on your behalf, which makes them your data processors under GDPR.

As a data controller, you are responsible for ensuring your data processors handle data appropriately. Practically, this means:

• You must have a Data Processing Agreement (DPA) in place with your booking platform.
• You must ensure the platform is based in the UK or EU, or has appropriate safeguards for international data transfers.
• You must only allow the platform to use your customers' data for the purposes you've instructed.
• If you switch platforms, you need to ensure customer data is properly transferred or deleted from the old platform.

Loyalty Cards and Schemes

Loyalty schemes are popular in barbershops — stamp cards, digital loyalty apps, points systems. Under GDPR:

• Paper stamp cards with no personal data are generally outside GDPR's scope.
• Digital loyalty schemes that link purchases to a named customer profile are personal data processing and require a lawful basis.
• App-based loyalty programmes should have consent mechanisms built in — but verify this rather than assume it.

Do not use loyalty scheme data to send unsolicited marketing without specific consent for that purpose.

CCTV in Barbershops

CCTV footage of identifiable individuals is personal data processing. Your obligations include:

• Signage — display clear signs before customers enter the monitored area.
• Lawful basis — security CCTV is typically justified under legitimate interests. Document your justification.
• Retention period — most businesses retain CCTV footage for 30 days maximum.
• Access controls — limit who can view footage.
• Subject access requests — customers can request to see footage in which they appear. Respond within one month.

Marketing: SMS, WhatsApp, and Email

SMS Marketing

You need explicit consent to send promotional SMS messages. A customer giving you their phone number for booking purposes does not constitute consent to receive marketing texts.

WhatsApp Business Messages

For transactional messages (appointment confirmations, reminders), you can send on the basis of the booking contract. For promotional messages, you need consent.

Email Newsletters

Email marketing to existing customers can rely on the soft opt-in rule under PECR — if a customer has used your services and you collected their email for that purpose, you can send them marketing about similar services, provided you gave them a clear opportunity to opt out.

Staff Data

Your obligations under GDPR extend to the personal data you hold about your staff:

• Employment contracts — justified under legal obligation and contract performance.
• Payroll data — required for HMRC; justified under legal obligation.
• DBS checks — contain sensitive data; store securely and delete once no longer relevant.
• Right to work checks — retain for duration of employment plus two years.
• Sickness records — health data is special category data requiring extra care.

Staff must receive a staff privacy notice at the start of their employment.

Data Retention

GDPR's storage limitation principle requires you not to keep personal data longer than necessary:

• Booking records — 12–24 months after the last appointment.
• Financial records — at least 6 years (HMRC requirement).
• Marketing consent records — keep for as long as you hold the customer's data.
• CCTV footage — 30 days maximum.
• Staff employment records — duration of employment plus 6 years.
• Loyalty scheme data — active membership plus 12 months of inactivity.

GDPR Compliance Checklist for Barbers

Data Inventory

• [ ] Identified all personal data you collect
• [ ] Know where it is stored
• [ ] Assigned a lawful basis to each processing activity

Privacy Notice

• [ ] Privacy notice on website or displayed in-shop
• [ ] Covers what data you collect, why, retention periods, and customer rights
• [ ] Staff have a separate staff privacy notice

Consent and Marketing

• [ ] Explicit consent collected before sending marketing communications
• [ ] Consent records maintained
• [ ] Easy opt-out mechanism in place

Third-Party Platforms

• [ ] Data Processing Agreements with booking platform and payment processor
• [ ] Reviewed platform data practices

CCTV

• [ ] Signs displayed prominently
• [ ] Footage deleted after 30 days
• [ ] Access restricted to authorised staff

Data Retention

• [ ] Retention policy in place
• [ ] Regular deletion schedule established

Security

• [ ] Customer data held securely
• [ ] Data breach response process in place
• [ ] Staff trained on data protection basics

Getting Started

GDPR compliance for a barbershop doesn't have to be overwhelming. Audit the data you hold, assign a lawful basis to each processing activity, write a privacy notice, get proper consent for marketing, configure your booking platform correctly, and set a retention schedule. Most barbershops can achieve solid baseline compliance in a few hours of focused effort.

Tools like Custodia can help you generate a privacy policy, identify compliance gaps, and set up cookie consent for your website.