GDPR for Painters and Decorators: A Complete Compliance Guide

Why GDPR Applies to Painters and Decorators

You might think data protection law is for tech companies and big corporations. But if you're a painter or decorator running your own business, GDPR applies to you too. Every time you write down a customer's name, address, and phone number, you're processing personal data. Every quote you send, every invoice you file, every before-and-after photo you take at a client's property — all of it falls under the scope of UK GDPR and the Data Protection Act 2018.

The Information Commissioner's Office (ICO) has made clear that sole traders and micro-businesses are not exempt. If you handle personal data as part of your work, you have legal obligations. The good news is that compliance for a painting and decorating business is genuinely manageable once you understand what's required.

This guide walks through everything you need to know: what data you collect, your lawful basis for using it, how to handle photos and subcontractors, marketing rules, employee records, and how long to keep everything.

What Data Painters and Decorators Collect

Most painters and decorators collect more personal data than they realise. A typical job involves gathering and storing:

• Customer names, home addresses, and contact details — essential for every job
• Property type and access arrangements — including gate codes, key safe combinations, or details about when the customer will be home
• Quote details and job specifications — surface areas, room dimensions, colour choices, product specifications
• Before and after photographs — images of customers' private homes and interiors
• Payment information — bank transfer details, card payment records, deposit amounts
• Invoice and receipt records — linking individuals to financial transactions
• Email and SMS correspondence — conversations about job scope, timing, and complaints
• Referral information — who recommended you and to whom you were recommended

Home addresses are considered personal data under GDPR because they can identify a specific individual. Access codes and property details are particularly sensitive because they relate to a person's home security. All of this data needs to be handled carefully.

Lawful Basis for Processing

Under GDPR, you need a lawful basis to process personal data. For painters and decorators, two bases are most relevant.

Contract Performance

When a customer hires you to paint their home, you need their address to carry out the work. You need their contact details to arrange access. You need their payment information to receive money. All of this processing is necessary to perform the contract between you and the customer. You do not need to ask for separate consent — the contract itself provides your legal basis.

Legitimate Interests

Some processing is not strictly required by the contract but is a reasonable part of running your business. Keeping records of completed jobs for your own business management, or retaining customer contact details for a reasonable period in case of warranty issues or disputes, can be justified under legitimate interests. You should document your legitimate interests assessment and be prepared to explain your reasoning if asked.

For marketing — sending emails, newsletters, or promotional messages — you generally need explicit consent from the customer.

Before and After Photos: Customer Property Images

Photography is central to marketing for many painters and decorators. Before-and-after shots showcase your workmanship and help attract new customers on social media and your website. But photos of customers' homes raise specific GDPR considerations.

A photograph of a private residence can be personal data if it allows the property owner to be identified — for example, if the address is visible, or if the homeowner appears in the image.

Best practice is to get explicit written consent before using any customer property photos for marketing purposes. This consent should be:

• Separate from the contract for the work itself
• Specific about how the images will be used (website, Instagram, Facebook, printed materials)
• Easy to withdraw at any time
• Recorded so you can demonstrate it was given

A simple consent form or even a short written confirmation via email or WhatsApp works fine. The key is that you ask before you post, not after.

Quotes and Estimates: Retention and Data Handling

When a potential customer asks for a quote, they give you their personal data — name, address, contact details — in expectation that you'll use it to provide a price. If they accept, the contract basis covers your further processing. But what if they do not go ahead?

For unaccepted quotes, you should have a clear policy on how long you retain the data. A reasonable approach is to retain quote data for six months after the quote was provided. After that retention period, the personal data within the quote should be deleted or anonymised.

Subcontractors: Data Sharing When Bringing In Extra Tradespeople

Many painters and decorators bring in additional tradespeople for larger jobs. When you share a customer's address and job details with a subcontractor, you are sharing personal data.

Under GDPR, you are the data controller. Your subcontractor, when handling that data on your instructions, is acting as a data processor. You are responsible for ensuring they handle the data appropriately.

Practically, this means:

• Only share the information the subcontractor actually needs to do their part of the job
• Tell the subcontractor not to use the customer's details for their own marketing without the customer's consent
• For regular subcontracting arrangements, consider a simple written agreement covering data protection obligations
• Make sure your privacy notice mentions that you may share data with trusted tradespeople to deliver the work

Marketing: Follow-Ups, Seasonal Campaigns, and Opt-In Requirements

Many painters and decorators generate repeat business through follow-up contacts. These messages can be valuable, but GDPR and the Privacy and Electronic Communications Regulations (PECR) impose rules on how you can contact people.

For email and SMS marketing to individual consumers, you generally need their prior consent. There is a limited exception called the soft opt-in which allows you to email or text previous customers about similar services, provided you:

• Obtained their contact details during a sale or negotiation of a sale
• Are marketing similar services
• Gave them a clear opportunity to opt out when you collected their details and in every subsequent message

Employee and PAYE Records

If you employ decorators or labourers, you will hold significant amounts of employee personal data. Employee records typically include:

• Full name, address, date of birth, National Insurance number
• Bank account details for payroll
• Right to work documentation
• Emergency contact details
• Sick leave and absence records
• Performance and disciplinary records

HMRC requires you to keep payroll records for at least three years from the end of the tax year they relate to. Keeping employment records for six years after employment ends is a common and defensible approach.

Data Retention: How Long to Keep Records

A clear data retention policy is one of the practical foundations of GDPR compliance. For a painting and decorating business:

• Completed job records and customer files — 6 years from completion
• Invoices and financial records — 6 years from the end of the accounting period (HMRC requirement)
• Unaccepted quotes — 6 months from the date of the quote
• Before and after photos (with consent) — until consent is withdrawn
• Employee/PAYE records — 6 years after employment ends
• Marketing opt-in records — retain for as long as you are marketing to the individual

Practical Compliance Checklist for Painters and Decorators

• Do you have a privacy notice that explains what data you collect and why?
• Do you provide this privacy notice to customers before or when you collect their data?
• Have you checked whether you need to register with the ICO and pay the data protection fee?
• Do you have a process for responding to data subject requests within one month?
• Do you get explicit consent before using customer property photos for marketing?
• Do you have a retention policy specifying how long you keep customer records, quote data, and financial records?
• Do you securely delete data at the end of the retention period?
• Do you have consent or a soft opt-in basis for any marketing emails or SMS messages you send?
• Are your digital devices and cloud storage password-protected?

Getting Help With Compliance

GDPR compliance for a painting and decorating business does not require a solicitor or a dedicated compliance officer. The ICO publishes free guidance specifically aimed at small businesses and sole traders.

If you want to automate the compliance process — generating a privacy notice tailored to your business, scanning your website for tracker issues, or managing customer data subject requests — tools like Custodia can handle much of the heavy lifting without the cost of professional advice.