GDPR for Landscape Gardeners: A Complete Compliance Guide

Why GDPR Applies to Landscape Gardeners

If you run a landscaping or gardening business, you handle personal data every day — client home addresses, phone numbers, email addresses, photographs of private properties, and payment details. Under the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018, this makes you a data controller, with legal obligations around how you collect, use, store, and share that information.

Many landscapers assume GDPR is something only relevant to tech companies or large corporations. In reality, any business that processes personal data about individuals is in scope. Whether you are a sole trader managing twenty residential clients or a growing landscaping firm with a team of seasonal workers, the same rules apply to you.

The Information Commissioner's Office (ICO) — the UK's data protection regulator — has powers to issue fines of up to £17.5 million or 4% of annual global turnover for serious breaches. Even for small businesses, enforcement action can mean significant disruption, reputational damage, and legal costs.

What Personal Data Do Landscape Gardeners Collect?

Before you can comply with GDPR, you need to understand exactly what personal data your business handles. For a typical landscaping or gardening company, this includes:

• Client contact details — full names, home addresses, email addresses, and phone numbers collected when clients enquire or book your services.
• Site survey notes — written or typed notes from initial visits to client properties.
• Project photographs — before and after images of client gardens, which may show the exterior of private homes.
• Payment information — bank details, card details processed through a payment provider, or records of cash payments.
• Quotes and invoices — documents that include client names, addresses, and financial information.
• Staff and worker records — names, addresses, National Insurance numbers, right to work documents, and payroll information.
• Subcontractor details — contact information for specialist contractors such as tree surgeons or irrigation installers.

Lawful Basis for Processing Client Data

Every time you process personal data, you must have a lawful basis for doing so. For landscape gardening businesses, two are most relevant:

Contract Performance

When a client engages you to carry out landscaping work, you need their name, address, and contact details to fulfil the contract. Processing this data is necessary to perform the service. This covers quote preparation, scheduling visits, invoicing, and carrying out the work itself.

Legitimate Interests

Legitimate interests can apply where you have a genuine, proportionate business reason to process data and it does not override the rights and interests of the individual. For example, keeping a record of past projects for quality assurance or retaining contact details to follow up on an unanswered quote.

Consent is required for activities like sending marketing emails or using photographs of client properties for promotional purposes. Consent must be freely given, specific, informed, and unambiguous.

Site Photographs and Design Drawings

Photographs of client properties are a particularly sensitive area. Before-and-after photos are an invaluable marketing tool, but they carry privacy obligations many businesses overlook.

A photograph of a client's garden may include the exterior of their home. Even if no person appears in the photograph, images of private properties can be considered personal data if linked to an identifiable individual.

Obtaining Consent for Photos

If you wish to use site photographs for marketing — on your website, social media, brochures, or portfolio platforms — you must obtain explicit consent from the client. This consent should be:

• Requested separately from the service contract
• Clearly worded, specifying how and where the photographs will be used
• Freely given — clients must be able to decline without it affecting the service
• Recorded in writing or electronically as evidence

Clients can withdraw consent at any time. If they do, you must remove images from your marketing materials and website promptly.

Subcontractors and Suppliers: Data Sharing Obligations

Many landscaping projects involve subcontractors — tree surgeons, paving specialists, garden lighting engineers, or irrigation installers. When you share client personal data with a subcontractor, you are sharing personal data with a third party.

Under UK GDPR, if a subcontractor processes personal data on your behalf, they are acting as a data processor. You are the data controller, responsible for ensuring they handle data appropriately. This means you should have a written data processing agreement (DPA) in place with any subcontractor who handles client personal data.

A data processing agreement should set out:

• What personal data the subcontractor will access and for what purpose
• That the subcontractor will only process data on your documented instructions
• Security measures the subcontractor must implement
• That the subcontractor will delete or return the data at the end of the engagement
• That the subcontractor will notify you promptly if they suffer a data breach

Quotes, Invoices, and Financial Records

HMRC requires businesses to retain financial records for at least six years for tax purposes. This provides a clear lawful basis (legal obligation) for retaining invoice data for that period.

However, you should not retain records for longer than necessary. A quote that was never accepted by the client does not need to be kept for six years. Consider setting a shorter retention period for unsuccessful quotes — perhaps twelve months.

Financial records should be stored securely. If you use accounting software, ensure it is password-protected and that access is limited to those who need it.

Marketing: Before-and-After Photos on Social Media

Sharing project photos on Instagram, Facebook, or Houzz is one of the most effective ways to attract new landscaping clients. But it requires careful management under GDPR.

Explicit consent is required before posting photographs that could identify a client's property.

For email newsletters and direct marketing campaigns, you must have either:

• Consent — the client explicitly opted in to receive marketing emails; or
• Soft opt-in — the client purchased or enquired about a service, you are marketing similar services, and you gave them a clear opportunity to opt out.

Staff and Seasonal Worker Data

If you employ staff or engage seasonal workers, you hold significant amounts of personal data in your capacity as an employer:

• Names, addresses, and contact details
• National Insurance numbers and payroll information
• Bank account details for salary payments
• Right to work documentation (passports, visas, share codes)
• Sickness and absence records
• Performance records and disciplinary documentation

All staff should receive a staff privacy notice at the start of their employment explaining what data you hold about them, why you hold it, and what their rights are.

Data Retention: How Long to Keep Client Records

UK GDPR requires that personal data is kept no longer than necessary for the purpose for which it was collected. A sensible retention framework:

• Client contact details and project records — retain for three years after the last project
• Invoices and financial records — retain for six years as required by HMRC
• Unsuccessful quotes — retain for twelve months, then securely delete
• Staff employment records — retain for six years after employment ends
• Right to work documents — retain for two years after employment ends
• Marketing consent records — retain for as long as you send marketing to the individual

Data Subject Rights

Under UK GDPR, individuals have a range of rights:

• Right of access — individuals can request a copy of all personal data you hold (Subject Access Request). You have one month to respond, free of charge.
• Right to rectification — individuals can ask you to correct inaccurate data.
• Right to erasure — in certain circumstances, individuals can ask you to delete their data.
• Right to object — individuals can object to processing based on legitimate interests or for direct marketing.

Data Security

UK GDPR requires you to implement appropriate technical and organisational measures to keep personal data secure:

• Strong, unique passwords for email accounts and accounting software
• Two-factor authentication on key business accounts
• Encrypted sensitive files on laptops or USB drives
• Up-to-date software and operating systems
• Paper records locked in a secure cabinet
• Documents shredded when no longer needed

If you suffer a personal data breach, you must report it to the ICO within 72 hours if it is likely to result in a risk to individuals' rights.

ICO Registration

Most businesses that process personal data must register with the ICO and pay an annual data protection fee. For most small businesses, this is £40 per year (Tier 1).

Practical GDPR Compliance Checklist for Landscape Gardeners

• Map all personal data your business holds — clients, staff, subcontractors, and marketing lists
• Identify a lawful basis for each type of processing and document it
• Write or update your privacy notice and make it accessible to clients
• Obtain explicit written consent before using project photographs for marketing
• Put data processing agreements in place with subcontractors who handle client personal data
• Set and enforce data retention periods for all data categories
• Implement basic security measures: strong passwords, two-factor authentication, locked filing, secure disposal
• Give all staff a privacy notice at the start of employment
• Carry out right to work checks and retain documentation as required
• Register with the ICO and pay the annual data protection fee if required
• Know how to respond to a Subject Access Request within one month
• Have a process for identifying and reporting personal data breaches within 72 hours
• Ensure your website has a compliant cookie consent banner if you use analytics or advertising trackers

---

GDPR compliance for landscaping businesses comes down to a handful of practical steps: know what data you hold, protect it properly, be transparent with clients, and retain it only for as long as necessary. Tools like Custodia can help you automate website compliance.