Everything You Need To Know About GDPR For Salons: Compliance Checklist For 2018

Our Reviews

4.9 / 5 Based on 967 Reviews
Read all reviews »

The General Data Protection Regulation (GDPR) applies from 25th May 2018 and deals with how organisations deal with personal information. As a salon owner, it affects the way you run your business, as there are certain pieces of your clients’ personal information that you currently hold.

The GDPR is similar to the Data Protection Act (DPA) and so as long as you already comply with that, the effect on your business may be minimal. However, there are some changes that you may need to make to how you deal with personal information.



The first thing you need to do is determine what personal information you hold, where you get this information and what you do with the information via an information audit.

The GDPR requires you to document this. By doing so, it will be easier to comply with the requirements of the GDRP including the accountability principle. Read more information on keeping client consultation records.


The rights of individuals

The rights of individuals under the GDPR are similar to their rights under the DPA with some differences. The main difference is the right to data portability. This means that you are required to supply any personal information you hold to the person it relates to in a standard, easily readable format, free of charge.

Under the DPA you had 40 days in which to comply with a request from someone for a copy of the personal information that you hold on them. Under the GDPR that has been reduced to 30 days.


Lawful basis

You are only allowed to hold and process personal information if you have a lawful basis to do so. One of the main changes as a result of GDPR is that people have a right to have their personal information deleted in a number of circumstances.

You should document what lawful basis you’re using to justify holding and processing personal information. This will help you comply with the accountability requirements imposed by GDPR.



You’re required to obtain consent to use collect, hold and use personal information. This must be on an opt-in basis. You cannot assume consent. If you are collecting, holding and using a minor’s personal information, you’re required to obtain consent from the minor’s parent or guardian.

If you have already obtained consent under the DPA, you will not normally need to obtain fresh consent to satisfy the requirements of the GDPR. However, you should make sure that all consent is properly recorded.


Privacy notices

If you collect personal information, you are required to tell people who you are and what you intend to do with that information.

The GDPR goes further and means that you are also required to tell people:

  • Why it is legal for you to collect and process their personal information
  • How long you will hold their personal information
  • How people can complain to the Information Commissioner’s Office (ICO) if they have an issue with how you have handed their personal information.


Data breaches

If there is a data breach that is likely to adversely affect any individuals involved, you’re required to notify the ICO and the individuals in question. You should make sure that you have procedures in place to detect any such breaches, including a plan for how these breaches will be handled.



  • If you are already complying with the DPA, it should be relatively easy to adapt to the GDPR
  • Document what personal information you hold and process
  • Understand the rights of the individuals involved
  • Only hold and process personal information if you have a lawful basis for doing so
  • Obtain consent and issue privacy notices when you collect personal information. Remember that the rules on consent are different if you are collecting a minor’s personal information
  • Make sure you have a documented plan for dealing with data breaches
  • Deal with any data breaches as quickly and efficiently as possible


For more information on GDPR and the next steps, please visit the ICO‘s website, where you’ll find a range of resources on the subject. Below, we’ve listed some of the resources you’re most likely to need to get you GDPR-ready:



How are the changes to GDPR affecting your salon? Have any tips for your fellow salon owners? Share them with us in the comments on Facebook and Twitter.

Salon Gold provides insurance for salons. For further information, please visit our Salon Insurance page.

Related Articles:

Join Us Today!

Our Reviews

4.9 / 5 Based on 967 Reviews
Read all reviews »

Quick, easy and great price. would fully recommend

2 hours ago

Super easy to get the correct insurance for my company

2 hours ago

Salon Gold is very easy to understand with simple steps and helpful notes where needed on some of the 'technical questions'. It made what can be a stressful... Read more »

on Aug 14th
© Copyright 2018 Salon Gold | Salon Gold, Holistic Gold, Counselling Gold and Fitness Gold are products of Henry Seymour & Co (Barkdene Ltd) which is authorised and regulated by the Financial Conduct Authority.Registered in England No 1842617 Insurance Brokers. All rights reserved.
Get a Quote