Skip to main content
    InkKiln

    Client records and UK GDPR for tattoo studios

    TL;DR: Under the Data Protection Act 2018 and UK GDPR, tattoo studios need a lawful basis for client data, plus an Article 9 condition (usually explicit consent) for special-category health data. Consent forms are typically retained 6 years minimum, often 10 plus. Most studios must register with the ICO and pay the data protection fee, currently £52 a year.

    Client records and UK GDPR for tattoo studios

    Tattoo studios hold three categories of data that the law treats very differently: identification and contact data (name, DOB, address, ID details, phone, email), special-category health data (medical history from the consent form, allergy history), and procedure data (designs, sessions, photos, payments). The rules for each are anchored in the Data Protection Act 2018 and UK GDPR. This guide describes what compliance looks like in 2025-26.

    The core duties

    UK GDPR principles (ICO summary) require that personal data is:

    1. Processed lawfully, fairly, and transparently.
    2. Collected for specified, explicit, legitimate purposes.
    3. Adequate, relevant, and limited to what is necessary.
    4. Accurate and kept up to date.
    5. Kept no longer than necessary.
    6. Processed securely.
    7. Accountable, you must be able to demonstrate compliance.

    For a tattoo studio, that translates into:

    • A clear, written privacy notice for clients.
    • A lawful basis for every category of data you hold.
    • An additional lawful basis for special-category data (health information).
    • Retention periods defined and enforced.
    • Secure storage.
    • A documented process for handling subject access, erasure, and rectification requests.
    • ICO registration and the data protection fee (currently £52/year for most small businesses).

    Lawful basis, what applies where

    The lawful bases under UK GDPR Article 6 most relevant to tattoo studios:

    • Performance of a contract (Art. 6(1)(b)), for booking and payment data, where the client is contracting for tattooing services.
    • Legitimate interests (Art. 6(1)(f)), for some marketing and operational uses, with a documented legitimate-interests assessment.
    • Consent (Art. 6(1)(a)), for marketing and photo use, where consent is freely given, specific, informed, and unambiguous. Required to be separate from the procedure consent.

    For special-category data (health information from the consent form), you need an Article 6 basis and an Article 9 condition. Most relevant:

    • Art. 9(2)(h), necessary for the assessment of the working capacity of the employee, medical diagnosis, or the provision of health or social care. Stretched for tattooing.
    • Art. 9(2)(a): explicit consent. The cleanest basis. Means the client gives explicit consent on the consent form to the studio collecting and retaining the medical history for the purpose of safely performing the procedure.

    Document your basis in your privacy notice and in a written record of processing activities.

    What you should and should not collect

    Collect (with lawful basis)

    • Full name and DOB (identity, ID check, age verification under LG(MP)A 1982 Part VIII byelaw expectations and the Tattooing of Minors Act 1969 defence).
    • Address, phone, email (for booking, aftercare follow-up, recall if there's an ink/equipment incident).
    • ID type checked and reference (Tattooing of Minors Act defensible record).
    • Relevant medical history on the consent form, see consent and age verification.
    • Procedure record, design, placement, session date, ink batch numbers, needle batch numbers, aftercare sheet given.
    • Healed photos (with separate explicit consent).

    Do NOT collect

    • HIV or hepatitis status, collecting this is unnecessary for safe tattooing (universal precautions apply) and creates an Equality Act 2010 disability-discrimination risk if it influences whether you take the booking. See bloodborne viruses and vaccination.
    • General medical history unrelated to the procedure.
    • Sexual orientation, religion, ethnicity, no lawful basis for this in a tattoo studio operational context.
    • Marketing preferences without separate consent, bundle into one tick box at your peril.

    The principle is one of the most-enforced GDPR principles by the ICO. Less data, lower risk.

    Retention periods

    There is no one-size-fits-all retention period, set yours based on the purpose:

    • Consent forms and medical history, retain for the personal-injury limitation period. Standard working minimum 6 years (the contract-claim limitation under s.5 Limitation Act 1980), with many studios retaining 10+ years because personal-injury limitation can run from date of knowledge (s.11 Limitation Act 1980).
    • Procedure record (design, batch numbers, dates), same as consent forms, for recall and traceability purposes.
    • Photos, until consent is withdrawn or the retention period in your photo-consent expires.
    • Booking and payment records, financial records must be retained for 6 years from the end of the tax year under HMRC self-employment record-keeping rules. See the tax section.
    • Marketing data, retained while the relationship is active, deleted on request or after a period of inactivity (commonly 2-3 years).

    Document the retention period for each data category in your privacy notice.

    Storage and security

    UK GDPR requires "appropriate technical and organisational measures", proportionate to the risk. For a small tattoo studio:

    Paper records

    • Locked filing cabinet in a secure area not accessible to clients.
    • Specific staff have keys.
    • Records destroyed by cross-cut shredder when retention expires.

    Digital records

    • Strong passwords on all devices (12+ characters, unique per service).
    • Two-factor authentication on email and booking systems.
    • Full-disk encryption on laptops and phones holding client data (BitLocker on Windows, FileVault on macOS, encrypted by default on modern phones).
    • Regular software updates.
    • Backup to encrypted cloud storage with restricted access.
    • Booking system from a UK or EU GDPR-compliant provider with a data processing agreement (DPA) in place.

    Photos

    • Stored separately from identifying data where possible.
    • Captioned by date and procedure, not by client identifying detail.
    • For social media use: cropped to remove identifying features unless the client has explicitly consented to identifiable use.

    Subject access requests (SARs)

    A client has the right to request a copy of their data, free of charge, within 1 month of the request. Have a documented process:

    1. Verify identity of the requester (so you don't give one client's record to another).
    2. Search your records, paper file, digital booking system, email, photos.
    3. Compile the response, copies of all data held about the client, in a clear format.
    4. Redact anything that contains another person's data (e.g. a payment record naming a co-payer).
    5. Provide within 1 month of receipt. Extendable by 2 months for complex requests, with notification.

    Erasure (right to be forgotten)

    A client can request erasure of their data. The right is not absolute. You can refuse where:

    • You need the data to comply with a legal obligation (e.g. HMRC retention).
    • You need the data for the establishment, exercise or defence of legal claims (e.g. a consent form covering a procedure for which a complaint could still be brought).
    • The data is necessary for public health reasons (rare in tattooing).

    In practice, most consent-form erasure requests in the first 6-10 years post-procedure are refusable on the legal-claims basis. Document the reason and notify the client of the refusal.

    After the retention period expires, the data should be deleted as a matter of course, regardless of whether the client requests it.

    Data breach response

    If client data is lost, stolen, accessed without authorisation, or accidentally disclosed:

    1. Contain, stop the breach (revoke access, recover the device).
    2. Assess the likely risk to data subjects.
    3. Report to the ICO within 72 hours if there is likely risk to rights and freedoms: ICO breach reporting.
    4. Notify affected clients without undue delay if there is high risk.
    5. Document the breach, the response, and lessons learned. Even non-reportable breaches must be documented internally.

    ICO registration

    Most tattoo studios processing personal data must register with the ICO and pay the annual data protection fee (currently £52 for tier 1 small businesses; check ICO fee calculator for your exact tier). Non-registration is itself an offence with civil-penalty exposure.

    Privacy notice

    Every studio needs a written, client-facing privacy notice covering:

    • Who you are (studio name, address, contact route).
    • What data you collect.
    • The lawful basis for each.
    • Retention periods.
    • Recipients (e.g. clinical waste contractor for batch traceability; accountant for financial records).
    • Client rights (access, rectification, erasure, restriction, objection).
    • ICO complaint route.

    Display at the studio and link from your booking flow.

    What this guide cannot do

    UK GDPR compliance is detailed and case-specific. A privacy notice template downloaded from a general business resource is unlikely to fit a tattoo studio exactly.

    Information, not advice. For your situation, verify with the ICO guidance for small organisations, and consider a one-off data protection review with a competent adviser when you set up your systems.

    Last reviewed: 16/05/2026

    In crisis? 24/7 help