← Back to Guides
For Stallholders & Event Hosts

GDPR for Craft Businesses and Event Hosts

Last updated: June 2026 · 8 min read

GDPR sounds intimidating, but for a small craft business or event host, compliance is more straightforward than you might think. If you collect email addresses on a sign-up sheet at a craft fair, take card payments on your stall, photograph customers at events, or store stallholder application details as an organiser, you are processing personal data, and the UK GDPR and Data Protection Act 2018 apply. The rules are the same whether you sell at fairs and markets or online. This guide explains what that means in practice and what you actually need to do, without the jargon.

Key Point

GDPR applies to almost every craft business and event host, including data collected face to face at a craft fair. But compliance for small businesses is not as complex as it sounds: a short privacy notice, proper consent for marketing emails, and sensible data handling covers most situations.

Does GDPR apply to me?

Almost certainly yes. The UK GDPR applies to any individual or organisation that processes personal data, and "personal data" is any information that can identify a living person.

For craft sellers, you are processing personal data if you:

  • Collect email addresses for a mailing list or newsletter.
  • Take card payments (your payment processor handles most of the technical compliance, but you are still the data controller).
  • Keep customer order records with names and addresses.
  • Photograph customers or their purchases for social media.
  • Maintain a customer database or contact list.

For event hosts, you are processing personal data if you:

  • Collect stallholder personal information via application forms.
  • Store vendor contact details, insurance documents, or booking records.
  • Take event photographs showing identifiable people.
  • Send email marketing to past vendors or attendees.
  • Share vendor details with venue managers or other third parties.

The only exemption is purely personal or household activity. If you are genuinely just making things for family and friends with no business element, GDPR does not apply.

Key principles in plain English

The UK GDPR is built on a set of principles. In plain English, they mean:

  • Lawful basis: you need a legitimate reason to collect and use personal data. For marketing emails, the reason is usually consent (the person opted in). For contracts (booking confirmations, invoices), the reason is "performance of a contract."
  • Transparency: tell people what data you are collecting and why. A short privacy notice on your website or booking form is sufficient.
  • Data minimisation: only collect what you actually need. If all you need is an email address for your mailing list, do not also ask for a phone number and home address.
  • Accuracy: keep data up to date. Remove bounced email addresses and update changed contact details.
  • Storage limitation: do not keep data longer than you need it. Delete old mailing list subscribers who have not engaged in years.
  • Security: keep data safe. Use strong passwords, do not store customer data in unsecured spreadsheets shared publicly, and be careful about who has access.
  • Accountability: you must be able to demonstrate that you comply with these principles if asked.

Collecting emails and mailing lists

Email marketing is one of the most common ways craft sellers and event hosts process personal data. The rules are straightforward:

  • You need consent to send marketing emails. This means the person must have actively opted in: not pre-ticked, not added without asking, and not signed up because they bought something from you.
  • The consent must be specific and informed: tell people what they are signing up for (e.g. "monthly updates about upcoming craft fairs") and who is sending the emails.
  • Every marketing email must include an easy way to unsubscribe. Most email platforms (Mailchimp, Mailerlite, etc.) handle this automatically.
  • Keep a record of when and how each person gave consent. If you use a sign-up form at a craft fair, keep the forms or photograph them.

The exception: if someone has previously bought from you or enquired about your products, you can email them about similar products without explicit consent; this is called the "soft opt-in" under the Privacy and Electronic Communications Regulations (PECR). But you must still offer an easy opt-out, and the email must be about products similar to what they already showed interest in.

Privacy notices

A privacy notice tells people what data you collect, why you collect it, and what you do with it. Every business that processes personal data should have one.

For a small craft business, a privacy notice does not need to be a long legal document. A short, clear statement covering the following is sufficient:

  • What data you collect (e.g. name, email address, postal address, order details).
  • Why you collect it (e.g. to fulfil orders, to send marketing emails, to manage event bookings).
  • Who you share it with (e.g. postal services for deliveries, email platform for newsletters).
  • How long you keep it (e.g. order records for 6 years for tax purposes, mailing list data until they unsubscribe).
  • How people can contact you to see, correct, or delete their data.

If you have a website, put the privacy notice on a dedicated page. If you collect data via a booking form or application form, include a link to your privacy notice on the form.

ICO registration

The Information Commissioner's Office (ICO) is the UK's data protection regulator. Most businesses and organisations that process personal data need to register with the ICO and pay an annual fee.

The fee structure is tiered:

  • Tier 1: £40 per year, for organisations with a maximum turnover of £632,000 and no more than 10 members of staff. This covers most sole traders and small craft businesses.
  • Higher tiers exist for larger organisations.

Some exemptions exist, for example, organisations that only process personal data for staff administration, accounts, or record-keeping and have no more than 250 employees may be exempt. The ICO has a self-assessment tool on their website to check whether you need to register.

Registration is straightforward and can be done online at ico.org.uk.

Event photography and social media

If you photograph people at your events for marketing or social media, GDPR applies. The practical approach:

  • Put up clear signage at your event stating that photography is taking place and may be used for marketing purposes. This gives attendees notice.
  • If someone asks you not to photograph them, or asks you to remove a photograph, comply promptly.
  • Be particularly careful with photographs of children; always get parental consent before photographing children in a way that identifies them.
  • If you are posting photos on social media, you do not usually need individual consent for crowd shots where no one is the focus. But close-up photographs of identifiable individuals should only be used with their knowledge.

For event hosts sharing vendor photos (stall setups, product shots), this is generally fine; vendors expect their products to be promoted. But sharing personal details about vendors beyond what they have agreed to is a different matter.

GDPR on the stall: what applies at a craft fair

Selling face to face does not take you outside data protection law. The most common situation is the mailing list sign-up sheet on your stall: a paper list of names and email addresses is personal data just like an online form, so the same consent rules apply. Tell people what they are signing up for, do not leave the completed sheet lying open where other customers can read previous entries, and transfer the details to your email platform (then store or destroy the paper securely) soon after the fair. If you take a customer's name, address, or phone number for a commission or a follow-up order, that is fine without separate consent; you are processing it to fulfil the contract, but you should still only keep it as long as you need it. And if you photograph your stall during the event with customers in shot, the same photography principles apply as anywhere else: crowd shots are generally fine, but identifiable close-ups should only be used with the person's knowledge.

For craft fair organisers, GDPR applies just as squarely. Stallholder application forms typically contain names, contact details, insurance documents, and sometimes bank details: all personal data that you, as the organiser, are responsible for as data controller. That means including a link to your privacy notice on the application form, storing applications securely, not sharing stallholder details with venues or other third parties beyond what applicants would reasonably expect, and not keeping old applications indefinitely. If you email past applicants about future fairs, the soft opt-in may cover sellers who previously booked with you, but every email still needs an easy opt-out.

Official Sources

StallSync gives craft fair organisers one secure place to collect and store stallholder applications, insurance documents, and contact details, and lets stallholders manage their bookings for every fair in one account. Find out more at stallsync.co.uk

You Might Also Find These Helpful

This guide is for general information only and does not constitute legal advice. GDPR requirements can be complex in specific situations ; for detailed queries, consult the ICO guidance or a data protection professional.

Track your compliance documents in one place.

Create your free Event Passport