You're collecting client names, emails, and addresses. That's personal data, which means GDPR applies. But you're not a big company—do you really need to worry about it? Here's what small vendors need to know about GDPR.
What GDPR Actually Means for Small Businesses
GDPR (General Data Protection Regulation) governs how businesses collect, store, and use personal data. It applies to every business that handles personal information about individuals—regardless of size.
Personal data includes anything that can identify a person: names, email addresses, phone numbers, addresses, photos, and even dietary requirements or allergy information you collect for events.
The good news: GDPR compliance for small vendors isn't the complex undertaking it is for large corporations. You need to follow some basic principles, but you don't need a dedicated data protection officer or expensive compliance software.
What Data Do You Actually Collect?
Before you can comply with GDPR, you need to understand what personal data you're handling. For most mobile vendors, this includes:
- Client contact details: Names, emails, phone numbers, addresses
- Event information: Wedding details, guest counts, venue addresses
- Dietary and allergy information: Particularly sensitive data requiring extra care
- Payment information: Bank details, card numbers (if you process payments)
- Communications: Emails, messages, enquiry forms
- Photos and videos: Event images that may include identifiable people
Consider where this data lives: your email inbox, phone contacts, spreadsheets, booking software, cloud storage, paper files. GDPR applies to all of it.
The Core Principles
GDPR is built on six key principles. Understanding these helps you make good decisions even in situations that aren't explicitly covered by specific rules.
Lawfulness, Fairness, and Transparency
You must have a legal basis for processing data, be honest about how you use it, and be transparent with people about what you're doing with their information.
Purpose Limitation
Only collect data for specific, stated purposes. If someone gives you their email to receive a quote, you can't automatically add them to your marketing list.
Data Minimisation
Only collect data you actually need. If you don't need someone's date of birth to cater their event, don't ask for it.
Accuracy
Keep data accurate and up to date. If a client tells you their email has changed, update your records.
Storage Limitation
Don't keep data longer than necessary. You don't need to retain enquiry details from someone who didn't book you five years ago.
Security
Protect data appropriately. Use passwords, don't leave client files lying around, secure your devices.
Pro Tip
When in doubt, ask yourself: "Would I be comfortable if a client asked me exactly what I'm doing with their data?" If the answer is yes, you're probably on the right track. GDPR is largely about being respectful and transparent with people's information.
Practical Steps for Compliance
Create a Simple Privacy Policy
You need a privacy policy that explains what data you collect, why, how you use it, and people's rights. This should be on your website and available to anyone who asks.
It doesn't need to be lengthy or full of legal jargon. Plain English explaining what you actually do is better than copied corporate policies that don't reflect your business.
Get Proper Consent for Marketing
You can contact clients about their bookings without explicit consent—that's necessary for delivering your service. But marketing communications (newsletters, promotional emails) require consent.
Add a clear opt-in checkbox to your enquiry forms. "Yes, I'd like to receive occasional updates and offers" is sufficient. Don't pre-tick the box—consent must be actively given.
Secure Your Data
Basic security measures are usually sufficient for small businesses:
- Password-protect your devices and accounts
- Use strong, unique passwords (a password manager helps)
- Keep software updated
- Back up important data
- Be careful with public WiFi
- Lock your phone and computer when not in use
Handle Allergy Information Carefully
Health-related data (including allergies and dietary requirements) is considered "special category" data under GDPR and requires extra protection. Only collect it when necessary, store it securely, and delete it after the event.
People's Rights
GDPR gives individuals rights over their data. You should be prepared to handle requests:
- Right to access: People can ask what data you hold about them
- Right to rectification: People can ask you to correct inaccurate data
- Right to erasure: People can ask you to delete their data (with some exceptions)
- Right to object: People can opt out of marketing at any time
In practice, these requests are rare for small vendors. But if someone asks, you must respond within one month.
Data Retention
Decide how long you'll keep different types of data. There's no single right answer, but be reasonable:
- Enquiries that didn't book: Delete after a year or two
- Client records: Keep for the duration of any guarantee period, plus enough time for potential legal claims (often six years)
- Financial records: HMRC requires you to keep records for at least six years
- Marketing lists: Remove people who haven't engaged in a reasonable period
Manage client data securely
VendorPad helps you store client information securely with proper access controls. Keep your data organised and compliant in one place.
Get Early AccessEvent Photos and Social Media
Photos from events need careful handling. People in your photos have rights over their image.
Best practice:
- Include a clause in your contract about photography and social media use
- Ask permission before posting photos that clearly identify individuals
- Avoid posting photos of children without explicit parental consent
- Remove photos promptly if asked
What If Something Goes Wrong?
If you experience a data breach (data is accessed, lost, or shared inappropriately), you may need to report it to the Information Commissioner's Office (ICO) within 72 hours. You should also notify affected individuals if the breach poses a high risk to them.
Common breaches for small businesses include losing a phone with client data, sending an email to the wrong person, or having an account hacked. Prevention is better than cure—basic security measures prevent most breaches.
Do You Need to Register with the ICO?
Most businesses that process personal data need to pay an annual data protection fee to the ICO. The fee for most small businesses is £40 per year. Check the ICO's self-assessment tool to confirm whether you need to register.
Final Thoughts
GDPR compliance for mobile vendors isn't about complex legal procedures—it's about treating people's data with respect. Collect only what you need, keep it secure, be transparent about what you're doing, and delete it when you no longer need it.
Most vendors are already doing most of this naturally. The key is being intentional about it: have a privacy policy, get proper consent for marketing, and think about data security. These steps protect your clients and your business.
