The General Data Protection Regulation (GDPR) applies from 25th May 2018 and deals with how organisations deal with personal information. As a salon owner, it affects the way you run your business, as there are certain pieces of your clients’ personal information that you currently hold.
The GDPR is similar to the Data Protection Act (DPA) and so as long as you already comply with that, the effect on your business may be minimal. However, there are some changes that you may need to make to how you deal with personal information.
The first thing you need to do is determine what personal information you hold, where you get this information and what you do with the information via an information audit.
The GDPR requires you to document this. By doing so, it will be easier to comply with the requirements of the GDRP including the accountability principle. Read more information on keeping client consultation records.
The rights of individuals
The rights of individuals under the GDPR are similar to their rights under the DPA with some differences. The main difference is the right to data portability. This means that you are required to supply any personal information you hold to the person it relates to in a standard, easily readable format, free of charge.
Under the DPA you had 40 days in which to comply with a request from someone for a copy of the personal information that you hold on them. Under the GDPR that has been reduced to 30 days.
You are only allowed to hold and process personal information if you have a lawful basis to do so. One of the main changes as a result of GDPR is that people have a right to have their personal information deleted in a number of circumstances.
You should document what lawful basis you’re using to justify holding and processing personal information. This will help you comply with the accountability requirements imposed by GDPR.
You’re required to obtain consent to use collect, hold and use personal information. This must be on an opt-in basis. You cannot assume consent. If you are collecting, holding and using a minor’s personal information, you’re required to obtain consent from the minor’s parent or guardian.
If you have already obtained consent under the DPA, you will not normally need to obtain fresh consent to satisfy the requirements of the GDPR. However, you should make sure that all consent is properly recorded.
If you collect personal information, you are required to tell people who you are and what you intend to do with that information.
The GDPR goes further and means that you are also required to tell people:
- Why it is legal for you to collect and process their personal information
- How long you will hold their personal information
- How people can complain to the Information Commissioner’s Office (ICO) if they have an issue with how you have handed their personal information.
If there is a data breach that is likely to adversely affect any individuals involved, you’re required to notify the ICO and the individuals in question. You should make sure that you have procedures in place to detect any such breaches, including a plan for how these breaches will be handled.
- If you are already complying with the DPA, it should be relatively easy to adapt to the GDPR
- Document what personal information you hold and process
- Understand the rights of the individuals involved
- Only hold and process personal information if you have a lawful basis for doing so
- Obtain consent and issue privacy notices when you collect personal information. Remember that the rules on consent are different if you are collecting a minor’s personal information
- Make sure you have a documented plan for dealing with data breaches
- Deal with any data breaches as quickly and efficiently as possible