GDPR for Yoga Studios: The Essentials (No Jargon)

You handle sensitive health data every day. Here's how to stay GDPR compliant without hiring a lawyer.

What Counts as Personal Data?

Any information that identifies someone:

Name, email, phone number
Photos (including Instagram posts with students)
Health information (injuries, medical conditions, pregnancy)
Payment details

Health data is 'special category data' under GDPR—you need extra protection and explicit consent.

The Six Legal Bases

You must have a legal reason to process data. For studios, these three apply:

Contract: You need their contact details to provide the class they booked
Consent: Marketing emails (they must actively opt-in, not pre-ticked boxes)
Legitimate interest: CCTV for security (with clear signage)

Your Privacy Notice

You must tell students:

What data you collect (name, health info, payment)
Why you need it (safety, payment, marketing)
How long you keep it (usually 7 years for tax purposes, then delete)
Who you share it with (booking software, payment processors)
Their rights (access, deletion, complaint to ICO)

Post this on your website and include a link in your booking confirmation emails.

The Health Data Problem

When students declare injuries on your waiver form, that's medical data. You must:

Store it securely (encrypted if digital, locked cabinet if paper)
Only share with teachers who need to know for safety
Not discuss openly in the studio ('Sarah's bad back')
Delete after reasonable period post-injury

Instagram & Photography

You cannot post photos of students without explicit consent. 'They didn't object' isn't enough.

Best practice: Have a separate photography consent form. If someone opts out, keep a 'no photo' list and brief all teachers. Be extra careful with pregnancy yoga—many women don't want pregnancy photos public.

Data Breaches

If you accidentally email everyone's email addresses in the 'to' field, or your laptop is stolen with student records, you may need to report to the ICO within 72 hours.

Fines can reach £17.5 million or 4% of turnover (whichever is higher), though small accidental breaches usually get guidance rather than fines.

Quick Compliance Checklist

Privacy notice on website ✓
Booking system terms checked ✓
Photo consent forms for marketing ✓
Health data stored securely ✓
Unsubscribe link in all emails ✓
Data deletion process for ex-members ✓

You're probably doing 80% of this already—just formalise it with documented policies.

Coming soon

This is Beyond the Mat, a brand new site by Laura Blaya that's just getting started. Things will be up and running here shortly, but you can subscribe in the meantime if you'd like to stay up to date and receive emails when new content is

Welcome to Beyond the Mat

Your Operational Playbook for Yoga Studios Whether you're opening your first studio or scaling to multiple locations, we provide the systems and strategies you need to succeed. Start Here * Operations - Finance, staffing, legal, and systems * Teaching & Programming - Class design, training, and retreats * Business Growth -

The Complete Guide to Yoga Studio Insurance

Insurance is your safety net—but most studio owners are either underinsured or overpaying. This guide breaks down exactly what coverage you need. General Liability: Your Non-Negotiable Foundation Every studio needs General Liability insurance. This covers student injuries, slip-and-fall accidents, and property damage. Coverage recommendation: $1-2 million per occurrence, $3

Pricing Psychology for Yoga Studios

Your drop-in price anchors every other pricing decision. Get it wrong, and you train students to never commit. The Anchoring Effect When you price drop-ins at $19, you signal that $19 is the fair value. Then your $120 unlimited membership requires 6+ visits to break even, which feels risky. Better