Operations |

GDPR and Your Booking Software - What UK Service Businesses Must Know

A practical guide to GDPR compliance for salons, clinics, trainers, and studios. What data you collect, how to store it, and what your software must handle.

By Sophie Chen

What data you collect

Think about what your booking system stores for each client. At minimum: their full name, email address, phone number, the service they booked, the date and time of each visit, and their booking history. That is personal data under GDPR. If you also collect medical information (intake forms, health questionnaires, allergy records), treatment notes, photographs of the client, or detailed personal preferences, you are storing special category data which has stricter protection requirements. Even a simple salon that only collects name, email, and phone is holding enough personal data to fall under GDPR. The difference between a salon and a clinic is the sensitivity level of the data, which affects what security measures are required, but both are processing personal data and both need to comply.

Lawful basis for processing

Under GDPR, you need a lawful basis for processing personal data. You cannot just collect and store information because it is convenient. For booking data (name, email, phone, appointment details), the lawful basis is performance of a contract. The client gives you their details so you can provide a service they have requested. This is straightforward and does not require separate consent. For email marketing (promotional emails, newsletters, offers), you need explicit consent. This means a clear opt-in checkbox during booking that is NOT pre-ticked. The client must actively choose to receive marketing. They must be able to withdraw consent at any time. And you must stop immediately if they do. For transactional emails (booking confirmations, appointment reminders, cancellation notices), no marketing consent is needed because these are part of delivering the service the client booked.

What your booking software must do

Your booking platform is your data processor. It stores and manages personal data on your behalf. Under GDPR, you are responsible for ensuring your processor meets adequate security standards. Specifically, look for: encryption at rest (data stored in encrypted form, not readable if the database is compromised), encryption in transit (TLS 1.2 or higher for all connections between the client's browser and the server), role-based access control (staff members only see data relevant to their role), audit logging (a record of who accessed or modified client data and when), data export capability (you must be able to provide a client with a copy of all their data within 30 days if they request it), data deletion capability (you must be able to permanently delete a client's data if they request it), and EU or UK data residency (data stored in compliant jurisdictions, not in countries without adequate data protection). Better Bookings meets all of these requirements: AES-256 encryption at rest, TLS 1.2+ in transit, role-based access across Owner/Manager/Staff roles, EU data residency via Supabase, and the ability for clients to request data export or deletion.

Consent and communication

The distinction between transactional and marketing emails trips up many businesses. Transactional emails are part of delivering the service: booking confirmations, appointment reminders, cancellation notifications, receipt emails, and password reset links. These do not require marketing consent because they are necessary for the service to function. Marketing emails are promotional: special offers, re-engagement campaigns, newsletters, loyalty promotions, and win-back messages. These require explicit opt-in consent collected at or before the point of sending. The grey area: is a rebooking reminder marketing or transactional? If it says 'Your next haircut is due, book now,' that is borderline. Conservative interpretation treats it as marketing because it is encouraging a new purchase. Pragmatic interpretation treats it as a service notification if the client has a regular booking pattern. The safest approach is to collect marketing consent during booking and only send promotional content to clients who opted in.

Data retention

GDPR requires you to have a data retention policy. You cannot store personal data indefinitely just in case you need it someday. The principle is data minimisation: keep data only as long as you have a legitimate reason to hold it. For a service business, a reasonable retention period is 2-3 years after the client's last booking. This covers the period in which they might return, any accounting or tax obligations (typically 6 years for financial records), and any potential legal claims. After the retention period expires, delete or anonymise the record. Anonymisation means removing identifying details (name, email, phone) while keeping aggregate data (booking counts, revenue) for reporting purposes. In practice, most small businesses do not need complex automated retention. But you should have a written policy stating how long you keep data and what triggers deletion. And your booking platform should make it possible to delete a client record completely when requested or when the retention period expires.

The practical bottom line

Here is the practical summary for a service business. Use a booking platform that handles the technical security (encryption, access control, data residency, audit logging). Do not store client data in spreadsheets, paper files, or unsecured tools. Collect marketing consent at the point of booking with an opt-in checkbox. Display a privacy policy on your booking page explaining what data you collect and why. Respond to any client data request (access or deletion) within 30 days. Do not keep data longer than necessary. That covers 95% of what a service business needs to worry about. The remaining 5% (Data Protection Impact Assessments, DPA agreements with processors, records of processing activities) only becomes relevant if you are processing large volumes of sensitive data or operating at enterprise scale. For a solo stylist or a small clinic, the basics above are sufficient. Choose a booking platform that handles the technical compliance automatically so you can focus on running your business.

Frequently Asked Questions

Can I be fined for GDPR non-compliance as a small business?

Yes. Fines can reach up to £17.5 million or 4% of annual turnover (whichever is higher), though the ICO typically issues warnings and corrective orders to small businesses first. The bigger risk is reputational damage from a data breach.

Do I need a Data Processing Agreement with my booking software?

Yes, if your booking software processes personal data on your behalf (which it does). Reputable platforms provide a DPA as standard. Ask your provider for theirs.