Let's be honest: between two sessions, GDPR isn't exactly what gets you fired up. But here's the thing — the moment you jot down a client's first name, email, or medical history, you're handling personal data. And the health form (allergies, medications, pregnancy) is flat-out sensitive data in the eyes of the law. Good news: you don't need a lawyer. You need three or four clean habits. Let's walk through them.
The one principle to remember
You can collect a piece of info if you genuinely need it to do your job safely. That's it. A name and contact to manage the appointment: yes. A health form to avoid a reaction during the session: yes. Their full date of birth "just for fun" when a simple "over 18?" would do: no. The less you keep, the less you have to protect.
You don't need to know everything about your client. Just enough to tattoo them safely.
The health form: the most sensitive piece
This is where it gets the most delicate. Allergies, diabetes, blood thinners, pregnancy: this is health data, the highest level of protection there is. Three simple habits are enough: ask only for what's useful (the stuff that changes how you work, or makes you turn down the session — not a full medical history); explain why in one line above the form ("this info is used only for your safety during the session"); and don't leave it lying around in an open notebook or an Insta chat, but in one closed place where you know exactly who can see it.
Photos: a real yes, especially for Insta
The tattoo itself is your work — you're free to document it. But the moment the person is recognizable — face, intimate placement, context — or you want to post on your socials, you need their explicit agreement. Not a "you don't mind, right?" tossed out while you pack up your gear. A real yes, ideally in writing.
- Keep two consents separate: photo for your private follow-up/portfolio ≠ public posting. Someone can say yes to one, no to the other.
- Plan for the healing follow-up case: if you ask for photos at J3, J14, J30, say so upfront and make clear it stays between the two of you.
- Someone can change their mind. If a client asks you to take down a posted photo, do it without arguing.
Keep, secure, delete
- One single place for client data, not ten notebooks + three DMs + a lost spreadsheet.
- Protected access: a strong password, and ideally two-factor authentication (2FA) on whatever tool you use.
- Don't keep everything forever: a health form for a client you haven't seen in three years has no business still being on your hands.
- Be able to answer if someone asks "what do you have on me?" or "delete my data": that's a right, and it's quick when everything is tidied away in one spot.
Where Inkkore makes your life easier
The trap isn't the law — it's the scattering. When health info lives in a notebook, messages in your Insta DMs, photos on your phone, and appointments in your head, there's no way to stay clean. Inkkore brings it all together: a unified inbox (IG, WhatsApp, email), CRM, agenda, and client records in one place, behind an account protected by 2FA. Healing follow-up at J3, J14, and J30 is built into the tool instead of being cobbled together in a chat, and the public booking page lets you ask for the right info, at the right time, in the client's language — 15 languages available. Bottom line: GDPR isn't some lawyer's chore, it's just keeping your house in order — ask for what's useful, explain it, protect it, delete it when it's done. (And no, this isn't legal advice: for a tricky case, a legal pro is still your best friend.)