GDPR for Personal Stylists: A Complete Compliance Guide

Why GDPR Applies to Personal Stylists

Personal styling is an intimate profession. To do their job well, stylists need to understand their clients on a deeply personal level - their body shape, their budget, their insecurities, their lifestyle. This means collecting and holding a remarkable amount of sensitive personal data.

The General Data Protection Regulation (GDPR) applies to any business or sole trader operating in the UK or EU, or working with clients who are based there. If you are a personal stylist, wardrobe consultant, or fashion advisor collecting information about your clients, GDPR governs how you must handle that data.

Failing to comply can result in fines of up to 20 million euros or 4% of annual global turnover, whichever is higher. For a sole-trader stylist, even a modest ICO enforcement action or client complaint can be damaging. The good news is that compliance is straightforward once you understand the basics.

What Data Do Personal Stylists Collect?

Before you can protect client data, you need to understand exactly what you collect. Personal stylists typically gather a wide range of information, including:

• Contact details - name, email address, phone number, home address
• Body measurements - height, weight, dress size, waist, hips, chest, inseam, and shoe size
• Style preferences - colour palettes, favoured brands, aesthetic references, style dislikes
• Budget information - seasonal or annual styling budgets, spending limits per item or category
• Shopping history - purchase records, retailer account access credentials, gift receipts
• Wardrobe inventory - notes from closet audits, photographs of existing garments, keep/donate/discard decisions
• Before and after photographs - images of clients pre-styling and post-styling, sometimes shared publicly on social media or in portfolios
• Lifestyle and professional context - job role, travel requirements, event calendar, social obligations
• Health and body considerations - post-surgery requirements, sensory sensitivities, pregnancy, disability-related dressing needs

Some of this - particularly health-related information - qualifies as special category data under GDPR, requiring a higher standard of protection.

Body Measurements and Personal Appearance Data

Body measurements are among the most sensitive data a stylist holds. They relate directly to a person's physical appearance and, in some cases, their health. While they are not automatically classified as special category data under GDPR, they are highly personal and should be treated with corresponding care.

If a client mentions health conditions that influence their clothing needs - for example, that they have had a mastectomy, are managing a chronic pain condition, or have sensory processing differences - that information is special category health data. You must have explicit consent to process it, and it must be stored securely.

Security Measures for Measurement Records

• Store measurement records in password-protected files or encrypted cloud storage, not in plain text notes or email drafts
• Do not share measurement data with third parties (tailors, retailers) without the client's knowledge and agreement
• Implement access controls if you work with assistants or associates
• Delete measurement records when they are no longer needed or when a client relationship ends

Lawful Basis for Processing Client Data

Every piece of personal data you process must have a lawful basis under GDPR Article 6. For personal stylists, the most relevant bases are:

Contract Performance

When a client engages you for styling services, you have a contract. Processing data necessary to deliver those services - contact details, measurements, style preferences, shopping information - is lawful under the "performance of a contract" basis.

Legitimate Interests

Some processing may be justified by your legitimate business interests, provided those interests are not overridden by the client's privacy rights. For example, keeping a brief record of a client's preferences after the contract ends so you can offer relevant services in future may qualify - but you should document this reasoning in a Legitimate Interests Assessment (LIA).

Consent

Consent is required for processing that goes beyond what is strictly necessary for the contracted services. Key examples include:

• Using before and after photographs in your portfolio or on social media
• Sending marketing emails, newsletters, or lookbooks
• Sharing client information with third-party retailers or personal shoppers
• Retaining data significantly beyond the end of the service relationship

Consent must be freely given, specific, informed, and unambiguous. Use a clear opt-in mechanism - ideally a written consent form signed at the start of the engagement.

Wardrobe Audits in Client Homes

A wardrobe audit involves visiting a client in their home, cataloguing their existing clothing and accessories, and making recommendations about what to keep, donate, or discard. This process generates detailed records about a client's personal belongings, living space, and lifestyle.

From a GDPR perspective, wardrobe audit notes and photographs are personal data. You should:

• Inform clients before the visit what notes and photographs you will take and how they will be used
• Obtain written consent if you intend to photograph items beyond what is necessary for the audit itself
• Store audit notes securely and not share them with third parties without consent
• Set a clear retention policy - for example, retaining wardrobe audit records for 12 months after the engagement ends, then deleting them

Before and After Styling Photos

Before and after photographs are powerful marketing tools for personal stylists. However, they are photographs of a real person - personal data that requires explicit consent before you can use them for any purpose beyond the styling session itself.

Consent Requirements for Client Photography

• Obtain separate, explicit consent for each intended use: portfolio, website, Instagram, TikTok, press features, etc.
• Make consent granular - a client may agree to portfolio use but not social media
• Never assume consent carries over from one context to another
• Allow clients to withdraw consent at any time and honour that withdrawal promptly
• Do not tag clients in social media posts without their express agreement

Home Visit Data: Residential Addresses and Access Information

When you visit clients at home, you hold their residential address and, in some cases, additional access information such as gate codes or key safe combinations. This information is personal data and must be handled carefully.

• Store residential addresses and access details in a secure, encrypted system
• Delete access codes immediately after they are no longer needed
• Ensure scheduling tools and CRM software have Data Processing Agreements (DPAs) in place

Shopping Data: Retailer Accounts and Personal Shopper Records

Many personal stylists act as personal shoppers for their clients, which may involve accessing the client's retailer accounts or making purchases on their behalf.

• Retailer account access: Store login credentials in an encrypted password manager; delete them when no longer required
• Purchase records: Retain only what is necessary and only as long as needed
• Payment information: Never store client payment card details yourself - use a regulated payment processor

Marketing: Lookbooks, Newsletters, and Seasonal Style Alerts

Under GDPR and PECR, sending marketing emails requires a valid legal basis - typically explicit consent.

• Use a clear, affirmative opt-in at the point of data collection
• Describe specifically what you will send (e.g. "seasonal lookbooks and styling tips, approximately four times per year")
• Include an easy opt-out mechanism in every marketing message
• Honour unsubscribe requests promptly

If you partner with retailers or brands and wish to pass on client details for promotional purposes, you need explicit consent.

Data Retention: How Long to Keep Client Style Files

You need a documented retention policy setting out how long different categories of client data are kept and why.

• Active client files: 12-24 months after the last contact
• Financial records: 6-7 years for tax purposes
• Before and after photographs: held only with active consent; delete if consent is withdrawn
• Wardrobe audit notes: 6-12 months after engagement ends
• Access codes and security information: delete immediately upon completion of the relevant visit
• Marketing consent records: retain for the duration of marketing activity plus a reasonable period

Practical GDPR Compliance Checklist for Personal Stylists

• Register with the ICO as a data controller
• Create a written privacy notice covering all required GDPR information
• Add a privacy notice link to your website, client contract, and intake form
• Document your lawful basis for each category of data processing
• Obtain explicit, written consent for photography use (portfolio, social media, press)
• Obtain opt-in consent before sending any marketing emails or lookbooks
• Store all client data in encrypted, password-protected systems
• Implement a written data retention policy and apply it consistently
• Delete access codes and security information immediately after use
• Ensure all software tools have Data Processing Agreements
• Create a process for handling Subject Access Requests
• Train any associates or assistants on data protection obligations
• Review your compliance posture at least annually

How Custodia Can Help

Custodia is an AI-native privacy compliance platform built for small businesses and independent professionals. It scans your website for trackers and privacy issues, generates a compliant privacy policy tailored to your business, and provides a cookie consent banner that meets GDPR and PECR requirements.

Start with a free website scan at app.custodia-privacy.com.