GDPR for Craft Businesses and Event Hosts

Does GDPR apply to me?

Almost certainly yes. The UK GDPR applies to any individual or organisation that processes personal data — and "personal data" is any information that can identify a living person.

For craft sellers, you are processing personal data if you:

• Collect email addresses for a mailing list or newsletter.
• Take card payments (your payment processor handles most of the technical compliance, but you are still the data controller).
• Keep customer order records with names and addresses.
• Photograph customers or their purchases for social media.
• Maintain a customer database or contact list.

For event hosts, you are processing personal data if you:

• Collect stallholder personal information via application forms.
• Store vendor contact details, insurance documents, or booking records.
• Take event photographs showing identifiable people.
• Send email marketing to past vendors or attendees.
• Share vendor details with venue managers or other third parties.

The only exemption is purely personal or household activity — if you are genuinely just making things for family and friends with no business element, GDPR does not apply.

Key principles in plain English

The UK GDPR is built on a set of principles. In plain English, they mean:

• Lawful basis — you need a legitimate reason to collect and use personal data. For marketing emails, the reason is usually consent (the person opted in). For contracts (booking confirmations, invoices), the reason is "performance of a contract."
• Transparency — tell people what data you are collecting and why. A short privacy notice on your website or booking form is sufficient.
• Data minimisation — only collect what you actually need. If all you need is an email address for your mailing list, do not also ask for a phone number and home address.
• Accuracy — keep data up to date. Remove bounced email addresses and update changed contact details.
• Storage limitation — do not keep data longer than you need it. Delete old mailing list subscribers who have not engaged in years.
• Security — keep data safe. Use strong passwords, do not store customer data in unsecured spreadsheets shared publicly, and be careful about who has access.
• Accountability — you must be able to demonstrate that you comply with these principles if asked.

Collecting emails and mailing lists

Email marketing is one of the most common ways craft sellers and event hosts process personal data. The rules are straightforward:

• You need consent to send marketing emails. This means the person must have actively opted in — not been pre-ticked, not been added without asking, and not been signed up because they bought something from you.
• The consent must be specific and informed — tell people what they are signing up for (e.g. "monthly updates about upcoming craft fairs") and who is sending the emails.
• Every marketing email must include an easy way to unsubscribe. Most email platforms (Mailchimp, Mailerlite, etc.) handle this automatically.
• Keep a record of when and how each person gave consent. If you use a sign-up form at a craft fair, keep the forms or photograph them.

The exception: if someone has previously bought from you or enquired about your products, you can email them about similar products without explicit consent — this is called the "soft opt-in" under the Privacy and Electronic Communications Regulations (PECR). But you must still offer an easy opt-out, and the email must be about products similar to what they already showed interest in.

Privacy notices

A privacy notice tells people what data you collect, why you collect it, and what you do with it. Every business that processes personal data should have one.

For a small craft business, a privacy notice does not need to be a long legal document. A short, clear statement covering the following is sufficient:

• What data you collect (e.g. name, email address, postal address, order details).
• Why you collect it (e.g. to fulfil orders, to send marketing emails, to manage event bookings).
• Who you share it with (e.g. postal services for deliveries, email platform for newsletters).
• How long you keep it (e.g. order records for 6 years for tax purposes, mailing list data until they unsubscribe).
• How people can contact you to see, correct, or delete their data.

If you have a website, put the privacy notice on a dedicated page. If you collect data via a booking form or application form, include a link to your privacy notice on the form.

ICO registration

The Information Commissioner's Office (ICO) is the UK's data protection regulator. Most businesses and organisations that process personal data need to register with the ICO and pay an annual fee.

The fee structure is tiered:

• Tier 1: £40 per year — for organisations with a maximum turnover of £632,000 and no more than 10 members of staff. This covers most sole traders and small craft businesses.
• Higher tiers exist for larger organisations.

Some exemptions exist — for example, organisations that only process personal data for staff administration, accounts, or record-keeping and have no more than 250 employees may be exempt. The ICO has a self-assessment tool on their website to check whether you need to register.

Registration is straightforward and can be done online at ico.org.uk.

Event photography and social media

If you photograph people at your events for marketing or social media, GDPR applies. The practical approach:

• Put up clear signage at your event stating that photography is taking place and may be used for marketing purposes. This gives attendees notice.
• If someone asks you not to photograph them, or asks you to remove a photograph, comply promptly.
• Be particularly careful with photographs of children — always get parental consent before photographing children in a way that identifies them.
• If you are posting photos on social media, you do not usually need individual consent for crowd shots where no one is the focus. But close-up photographs of identifiable individuals should only be used with their knowledge.

For event hosts sharing vendor photos (stall setups, product shots), this is generally fine — vendors expect their products to be promoted. But sharing personal details about vendors beyond what they have agreed to is a different matter.