Jump to navigation

Crafts Council

Home // News & Features // Preparing for General Data Protection Regulation (GDPR)
  • West Dean Tapestry Studio with Eva Rothschild at Collect 2018. Photo: Sophie Mutevelian.

Preparing for General Data Protection Regulation (GDPR)

A guide for makers and designers

This is an introduction to the legal requirements businesses must comply with in order to manage how personal data is used and stored.  Please use the links at the end of the document to explore more detailed information.  Please note that Crafts Council are not an authority on GDPR, this information is to provide guidance only and any queries please refer to the ICO (Information Commissioners Office)

What is GDPR?

The GDPR is Europe's new framework for data protection laws. It replaces the previous 1998 data protection directive, which current UK law is based upon. GDPR came into force on 25th May 2018, if you hold anyone’s personal data for your business then you should already be DPA (*Data Protection Act) compliant, the changes are minor but provides a good opportunity to review the data you already hold

Why is data protection important?  Data protections laws aim to control the way information is handled and to give legal rights to people who have information stored about them.                                  

Definition: Personal Data (PD) is any data that you can use to identify a person/business/organisation.  What PD of others do you have that is identifiable?

  • PD can be stored manually and digitally
  • Are you the data processor (who manages/uses the data and how) or the data controller (who is in control of the data)? if you are a sole trader, then you are both the processor and controller

What does it mean for me/my business?

You need to ensure the processes you use to collect data and manage data are:

  • Lawfully, fair and transparent
  • Notify person/business/organisation the purposes for why data is collected
  • Accurate and up to date
  • Relevant – only collect information you need
  • Retention (how long you keep it for)

What is a privacy policy? Do I need one?

Yes! Thinking through the processes for collecting, storing and using personal data will allow you to produce a compliance framework, or privacy policy, for your business and implement these procedures as part of your day-to-day activity.  Such a policy does not have to be complicated; it needs to be realistic, achievable and practical. 

Ask yourself:

  1. Are your contacts/clients/customers/services aware of the data you hold?
  2. How do you store it?
  3. How long have you had this data? When it was last updated? Is the data still current? How long do you need to keep it for? And why?
  4. Do you hold any sensitive data? Such as bank account details. How do you protect this data?
  5. How will you share your privacy policy with all these new contacts before they agree to signing up for your newsletter?
  6. How will you store all this new data now that you are GDPR compliant? Just a password protected spreadsheet won’t cut the mustard!  Look to using encryption and iCloud storage so you can delete from remote access if your device is stolen.

If you are unsure, it is worth contacting the ICO.  There is also the option to seek legal advice in creating a Policy document, please note this will have cost implications. 

What should I do now?  - Top tips:

  • Think about whether you need to have a privacy policy – we advise you probably do.
  • Look at some examples from organisations similar to yours – or bigger businesses with lots of fancy lawyers to write them! Platforms that uses your business personal data e.g. Mailchimp, Facebook, Etsy, Dropbox etc. should be GDPR compliant and you can review their polices on their websites.
  • If you employ other individuals or companies, you need to show your compliance e.g. link to your policy online and see their compliance on Data protection
  • Gaining personal data can be either through consent e.g. someone adding their details to your mailing list at an event/through your website or of legitimate interest e.g. a contract with an individual
  • Online buyer – for compliance you need at least an opt-out option
  • Emails (such as e-news) needs to have an opt-out option


  • Research into GDPR using the links below- what do you need to know?
  • Review and update your data
  • Write and implement a data protection policy.  
  • Take a sensible and practical approach
  • Be aware and take action
  • Don’t panic

Useful links