Interior designers sit at an unusual intersection of creative service and personal intimacy. You enter clients' homes, learn about their finances, family dynamics, daily routines, and aesthetic preferences. You photograph their living spaces for marketing. And you share client information with suppliers, contractors, and tradespeople to get work done.
All of that — the briefs, the photos, the supplier communication — is personal data under GDPR. If you operate in the UK or EU, or serve clients who do, you need a clear-eyed view of what data you hold, how you handle it, and where your compliance gaps might be.
Client Briefs: Home Addresses, Lifestyles, and Budgets
The initial client brief is where you collect some of your most sensitive data. A typical brief might include:
- Full home address (or multiple property addresses)
- Family composition — adults, children, pets
- Daily routines and lifestyle preferences
- Health considerations affecting the design (mobility, allergies, sensory needs)
- Budget and financial parameters
- Aesthetic preferences and personal tastes
Under GDPR, this is personal data — and health information may qualify as special category data, which attracts the highest level of protection. Your lawful basis for collecting brief data is typically contract performance. However, you should only collect what you genuinely need.
Action: Audit your onboarding forms and client questionnaires. Remove any questions that collect data you do not directly use in your design work.
Project Photography: Consent Before You Post
Before-and-after photography is the lifeblood of an interior design portfolio. It is also one of the most common areas where designers inadvertently breach GDPR. When you photograph a client's home, you may be capturing:
- The home's interior layout and features (which, combined with the address, is identifiable personal information)
- Personal possessions, family photos on walls, documents left on desks
- Images that, if published, would allow the property to be identified and linked to the client
Using those images in your portfolio, on Instagram, on Pinterest, or in press features requires a separate, explicit consent from the client. A buried clause in your service contract saying "we may photograph completed projects" does not meet this standard. You need a standalone photography consent form.
Action: Create a photography consent form separate from your service agreement. Obtain it before shooting, and keep a copy on file.
Supplier and Contractor Sharing
Every time you share a client's name, address, contact details, or brief with a third party, you are disclosing personal data. GDPR requires you to:
- Tell clients in your privacy notice which categories of suppliers and contractors you share data with
- Share only what is necessary — a furniture supplier needs a delivery address, not the client's full brief
- Use Data Processing Agreements (DPAs) where suppliers are processing data on your behalf
Action: Update your client-facing privacy notice to list the categories of third parties you share data with.
Home Access Records and Security
When contractors access a client's home, you often coordinate access — sharing keys, alarm codes, or smart lock codes. This access data is particularly sensitive because it relates to physical security.
- Do not retain access codes, key copies, or alarm codes beyond project completion
- Treat any breach of access data with extra urgency — it has immediate physical safety implications
Action: Establish a clear policy for disposing of client access information at project close-out.
Email Marketing: Past Clients and Prospect Lists
For past clients, you may be able to rely on the "soft opt-in" under PECR — if you collected their email address during the course of a transaction, you can send marketing for similar services, provided you gave them a clear opportunity to opt out.
For cold prospects, you need explicit consent before sending marketing emails.
Action: Audit your mailing list. Segment past clients from cold contacts who need explicit consent.
CRM Tools and Contact Management
Each CRM platform is a location where personal data lives. You need to know which CRM you use, where its servers are located, and what data it holds. If your CRM is hosted by a US provider, check whether they rely on EU-US Data Privacy Framework adequacy or standard contractual clauses.
Custodia can help you identify which third-party services your website is passing data to — including CRM integrations — so you know exactly what is flowing where before a client asks.
Scope Creep in Data Collection
It is easy to accumulate more data than you strictly need — lifestyle diaries, notes about family dynamics, extensive photographic records of personal possessions. GDPR's data minimisation principle requires you to collect only what is necessary for the stated purpose.
Action: Review what you record in project files and CRM entries. Delete data that does not serve any defined project or business purpose.
Data Retention for Completed Project Files
A reasonable retention policy for interior design might look like:
- Active project files: Retained for the duration of the project plus a dispute resolution window (typically 6–12 months post-completion)
- Financial records: Retained for the period required by HMRC (currently 6 years for UK businesses)
- Client contact details for marketing: Retained only while the client is on your mailing list
- Photographs: If consented for portfolio use, retained indefinitely subject to the consent terms
Action: Write a data retention policy and apply it consistently.
Website Analytics and Contact Form Compliance
If you use Google Analytics, you are setting cookies and sending IP addresses to Google's US servers. This requires a cookie consent banner that gets active opt-in consent before tracking fires. Passive banners — "by continuing to browse you agree" — are not compliant.
You can scan your studio website for free at app.custodia-privacy.com/scan — Custodia identifies tracker scripts, cookie consent issues, and missing privacy notices in under 60 seconds.
Instagram and Pinterest: Sharing Client Spaces
- Geotagging: Do not geotag posts featuring private residential properties
- Personal possessions: Blur or avoid photographing personal documents or medication visible in a space
- Reel content: Video walk-throughs require the same consent as still photography
- Tagging suppliers: Ensure your consent form covers third-party reposting
Where to Start
Most interior design studios need to take four foundational steps:
- Audit what you hold — client briefs, project files, photos, CRM data, email lists
- Update your privacy notice — to accurately describe your data practices and third-party sharing
- Get photography consent in writing — for every project where images will be used in portfolio or marketing
- Fix your website — cookie consent banner, privacy notice linked from contact forms, compliant analytics
The easiest way to identify what your website is doing with visitor data is to run a free scan at app.custodia-privacy.com/scan.
This guide is for informational purposes and does not constitute legal advice.
Top comments (0)