GDPR for Florists: A Complete Compliance Guide

Why GDPR Applies to Florists

At first glance, running a flower shop might seem a world away from the data-heavy operations of banks or tech companies. But florists collect and process a surprisingly rich set of personal information every day: names, home and work addresses, mobile numbers, email addresses, payment card details, occasion notes, gift messages, and delivery instructions. When a customer orders a bouquet for a birthday or a casket spray for a funeral, they share personal details — sometimes deeply personal ones — in trust.

If your florist business operates in the United Kingdom or the European Union, or serves customers based there, the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018 apply to you. The regulation is not limited to large corporations. Any business, sole trader, or partnership that collects and uses personal data is a data controller and must comply.

Non-compliance carries real risks. The Information Commissioner's Office (ICO) can issue fines of up to £17.5 million or 4% of annual global turnover for serious breaches. More commonly, florists face smaller fines, enforcement notices, and reputational damage if a data breach or complaint triggers an ICO investigation. Taking compliance seriously protects both your customers and your business.

What Personal Data Do Florists Collect?

To understand your compliance obligations, start by mapping every category of personal data your business handles. For a typical florist, this includes:

• Customer contact details: Full names, postal addresses (billing and delivery), telephone numbers, and email addresses collected at the point of order or account creation.
• Payment data: Card numbers, expiry dates, and CVV codes processed through your payment terminal or online checkout.
• Delivery information: Recipient names and addresses, including third-party recipients who have not directly interacted with your business.
• Occasion and personal notes: Information about birthdays, anniversaries, bereavements, weddings, hospital visits, or other life events.
• Gift messages: The text of personal messages attached to orders, which may contain intimate or emotionally significant content.
• Wedding and event details: Colour schemes, preferred flower varieties, venue addresses, ceremony times, budget discussions, and the names of key individuals.
• Marketing preferences: Whether a customer has opted in to receive newsletters, promotional offers, or seasonal reminders.
• Website interaction data: IP addresses, browsing behaviour, and cookies collected via your website or online shop.

Lawful Basis for Processing Customer Data

UK GDPR requires every processing activity to rest on one of six lawful bases. For florists, the most relevant are:

Contract Performance

When a customer places an order, processing their name, address, and payment details is necessary to fulfil the contract. You need their delivery address to get the flowers there; you need their phone number to call if there is a problem with the order.

Legitimate Interests

Legitimate interests can justify processing where you have a genuine business reason that is not overridden by the customer's rights. Examples include sending a follow-up email to confirm delivery was successful, or retaining an address history to help a repeat customer reorder easily. However, you must conduct a Legitimate Interests Assessment (LIA) and document your reasoning.

Consent

Marketing communications — newsletters, promotional emails, loyalty scheme updates — typically require freely given, specific, informed, and unambiguous consent. Consent must be obtained via a clear opt-in mechanism. A pre-ticked box is not valid consent.

Legal Obligation

Retaining financial records for HMRC compliance purposes falls under legal obligation. You are required by law to keep invoices and receipts for a defined period.

Wedding and Event Bookings

Wedding floristry presents particular data protection considerations. Couples typically book a florist months — sometimes over a year — in advance. During the consultation and planning process, you accumulate detailed personal information: the couple's names and contact details, venue addresses, supplier contacts, bridal party sizes, and sometimes sensitive details about family circumstances or budget constraints.

Key obligations for wedding and event bookings include:

• Transparency: Your privacy notice must explain that you collect and process data for event planning purposes and how long you retain it after the wedding.
• Security during the planning period: Data collected months before the wedding must be stored securely throughout.
• Supplier data sharing: If you share client details with venues, other wedding suppliers, or florist assistants, you must have appropriate agreements in place.
• Post-event retention: After the wedding, establish a clear retention period and delete data when the period expires.
• Portfolio photography: If you photograph your floral arrangements at weddings and wish to use these images publicly, ensure you have the couple's explicit consent.

Delivery Records and Third-Party Couriers

Many florists use third-party courier services or delivery drivers to fulfil orders. When you pass a recipient's name and address to a courier, you are sharing personal data with a third party. UK GDPR requires you to have a Data Processing Agreement (DPA) in place with any third party that processes personal data on your behalf.

You should also:

• Only share the minimum data necessary for delivery.
• Confirm that the courier deletes delivery data after a defined period.
• Check that any delivery tracking system processes data within the UK or EU, or has appropriate safeguards for international transfers.

Gift Messages and Personal Occasion Data

Gift messages are among the most personal data a florist handles. A message accompanying flowers for a bereavement, a reconciliation, or a romantic occasion can be deeply intimate. Customers trust you to treat these messages with discretion.

Practical steps include:

• Do not share gift message content with delivery drivers unless necessary.
• Avoid printing full gift messages on external packing labels visible to anyone who handles the package.
• Retain gift messages only as long as necessary to fulfil the order.
• Ensure your order management system restricts access to gift message data to authorised staff only.

Marketing: Email Newsletters, Loyalty Schemes, and Opt-In Requirements

Many florists build repeat business through seasonal marketing: Valentine's Day, Mother's Day, Christmas, and anniversary reminders. Email and text message marketing is covered by both UK GDPR and the Privacy and Electronic Communications Regulations (PECR).

To send marketing emails or texts to individual consumers, you need their prior consent. Consent must be opt-in — a pre-ticked box or a blanket statement does not satisfy PECR.

PECR includes a "soft opt-in" provision that allows you to send marketing communications to existing customers without fresh consent, provided that: the customer purchased a similar product or service from you; you gave them a clear opportunity to opt out at the time of purchase; and you include an opt-out in every subsequent message.

Every marketing email must include a clear, functional unsubscribe link. Opt-out requests must be honoured promptly.

Data Retention

UK GDPR requires you to keep data for no longer than necessary. A sensible retention framework for florists:

• Order records and financial documents: Retain for six years after the end of the relevant financial year.
• Customer contact details (non-financial): Review after three years of inactivity and delete if no longer needed.
• Delivery addresses for recipients: Delete after delivery is confirmed and the dispute resolution window has passed.
• Gift messages: Delete after delivery is confirmed.
• Wedding planning files: Retain financial records for six years; delete planning notes within six to twelve months post-event.
• Marketing consent records: Retain for as long as the customer remains on your marketing list.

Online Shop Compliance

If you sell flowers through an online shop, additional compliance obligations apply.

Cookie Consent

Your website almost certainly uses cookies. Under PECR, non-essential cookies require prior consent. You must display a cookie consent banner that appears before non-essential cookies are set, explains what each category of cookie does, and allows the visitor to accept or reject categories individually.

Privacy Notice

Your website must display a comprehensive privacy notice covering: who you are; what data you collect and why; the lawful basis for each processing activity; who you share data with; how long you keep it; and how customers can exercise their rights.

Secure Payment Processing

If you take card payments online, use a PCI DSS compliant payment gateway. Services such as Stripe, PayPal, or Square handle card data on your behalf.

Practical GDPR Compliance Checklist for Florists

• Privacy notice: Is there a clear, up-to-date privacy notice on your website?
• Cookie consent banner: Does your website display a compliant cookie consent banner?
• Lawful basis documentation: Have you documented the lawful basis for each category of data?
• Marketing consent records: Do you have records of when and how each customer consented?
• Suppression list: Do you maintain a suppression list of customers who have opted out?
• Data Processing Agreements: Do you have signed DPAs with your courier, payment processor, and other data processors?
• Data retention schedule: Is your retention schedule documented and applied consistently?
• Security measures: Is personal data stored securely with access controls in place?
• DSAR process: Do you have a process for responding to Data Subject Access Requests within one calendar month?
• Data breach procedure: Do you have a documented plan for reporting breaches to the ICO within 72 hours?
• ICO registration: Is your business registered with the ICO?
• Staff awareness: Have all staff received basic GDPR awareness training?
• Wedding photography consent: Do you obtain explicit written consent before using wedding photographs publicly?

Getting Help with GDPR Compliance

GDPR compliance does not have to be overwhelming. For most florists, the core requirements can be achieved without a dedicated legal team.

Custodia helps small and independent businesses automate the core elements of GDPR compliance: scanning your website for data collection points, generating compliant privacy notices and cookie consent banners, and processing Data Subject Access Requests.

Start with a free website scan at app.custodia-privacy.com to identify immediate compliance gaps.