It only seems like five minutes since the General Data Protection Regulation (GDPR) came into force across the European Union (EU), sending countless business owners into a mad panic about the way they manage sensitive personal data about their customers and employees. Yet here we are, months down the line and still, many of those businesses haven’t yet taken the necessary steps to ensure they’re compliant with what is often referred to as the biggest change in data protection laws for 20 years.
If you’re one of them, don’t worry, we get it.
Between looking after your customers, managing staff and taking care of the thousands of little tasks that come as part and parcel of running your own salon business, you’ve got enough on your plate without worrying about privacy policies and fair processing notices.
So it’s understandable, sure, but that doesn’t mean you should risk leaving your GDPR duties much longer. The fines for non-compliance can be pretty severe, and the Information Commissioner’s Office (the organisation responsible for overseeing GDPR in the UK) isn’t playing around when it comes to dishing those fines out when they need to.
That’s the bad news. Now, here’s the good news: even months after GDPR came into effect, it’s still not too late to ensure your salon is fully compliant. Better yet, doing so doesn’t have to be half as long, or half as complicated as it might first seem.
Here, we’ve put together your complete, easy-to-follow GDPR compliance checklist for salons, looking at everything you need to know to ensure you’re bang up-to-date with the new law. Before we get into that, however, let’s take a moment to address some of the major concerns raised by the salon owners we’ve chatted to about GDPR.
I was already complying with the Data Protection Act – why do I need to bother with GDPR?
When the Data Protection Act (DPA) 1998 first came into force back in the late ’90s, it was perfectly good enough for that time period. 20 years down the line and things have changed dramatically. The way we collect, use and manage data is drastically different than it was back in the 90s, which means the DPA isn’t really fit for purpose any more.
The same applies to similar data protection laws in other EU member states. That’s why GDPR was created in the first place.
It’s designed to make data protection law relevant and appropriate for the modern digital age by replacing outdated legislation like the DPA. In other words, the 1998 version of the Data Protection Act as you once knew it is no longer the legislation that governs data protection in this country, which is why you need to ensure your salon is GDPR compliant.
That said, you don’t necessarily have to start from scratch.
If you were already taking steps to ensure your business was compliant with the DPA, then you’ve already done much of the hard work needed to ensure you’re compliant with GDPR. Still, that doesn’t mean you can afford to ignore GDPR altogether. There are still some differences, and it’s important to pay attention to them if you’re to keep the Information Commissioner’s Office (ICO) from showing up at your salon with a nasty fine.
Brexit is happening next year: Won’t that make all of this redundant?
No, it won’t. In the United Kingdom, GDPR is enforced by an updated Data Protection Act 2018. That mainly mirrors what’s in GDPR, and will continue to be the governing data protection law once we finally pack our bags and ship out of the EU next March.
So, if you’re going to keep your business in the ICO’s good books, you’ll need to tackle your GDPR tasks now and keep that level of compliance even after Brexit.
Okay, so what do I need to do create a GDPR-compliant salon?
Though it can seem like a lot, working your way through this simple GDPR checklist is the easiest way to ensure you’re sticking to the rules.
Take inventory of your data
Just as you probably take stock of your essential supplies and any products you might sell in your salon, the ICO encourages you to also take stock of all the data you currently hold.
That means data not only relating to your clients, but also to employees, suppliers, and anyone else relating to your business.
As you go about creating this inventory, you’ll need to assess your data and determine whether or not you really need to keep it, and if you’re legally allowed to store it.
Some questions you’ll need to ask include:
- What kinds of information do we collect and store?
- Are we collecting and storing it only for a valid reason?
- Are we keeping that information only for as long as is really necessary?
- Are we doing enough to ensure that the information we store can only be accessed by people who need to access it to do their jobs?
- Are we doing enough to ensure that the information is only being used for its intended purpose?
- Do we share this information with any third parties? If so, why? Should we still be doing this?
Doing this will help you determine exactly what you’re allowed to keep and what you should be looking to get rid of.
It will also prove to be highly effective in ensuring that when you do store and collect any data, it’s done so in accordance with GDPR.
All of the remaining items on this checklist should be applied to any and all types of data that you process.
Understand lawful basis
The concept of “Lawful Basis” is the very foundation upon which GDPR is built. It basically means that you’re only allowed to collect and process any and all kinds of personal data if you can prove that you have a lawful reason to do so.
The regulation lists six different kinds of lawful basis that you can use. These are:
The data subject has given you consent to use their data for a specific purpose
You need to use the data to fulfil a specific part of a contract agreement
You need to process data to comply with the law
You need to process data in order to perform a legitimate function for your business
You need to process data in order to carry out an official public duty
You need to process data to save or protect a person’s life.
To be honest, as a salon owner, most of these aren’t going to apply to you. Public task, for example, is primarily about using data in a governmental agency. For your business, the one lawful basis that is most applicable is that of consent.
Check & update the way you gain consent
For the purposes of GDPR compliance, consent means that you can use a person’s data only for the purposes that they have given you their express consent for. This also relates to any information that you’ve collected before GDPR came into play.
For example, if you collect a customer’s email address or telephone number when they book an appointment, you could claim that the lawful basis for collecting that data is that of Legitimate Interest if you use it to send a confirmation or an appointment reminder. However, you can’t then simply decide to add that customer’s details to your marketing list so you can send them your latest special offers.
This is unlikely to be considered a legitimate interest, and would instead need you to gain the person’s express consent to use their data for that purpose. If you’re ever in doubt about which lawful basis to use when collecting data, consent is typically the best one to go for as it makes it absolutely clear that you have outright consent to use data for a specific purpose.
With that in mind, now is the time to look at the way you gather data and ensure that where you are using consent, you’re doing so in accordance with three rules:
- That you’re obtaining the data fairly
- That you’re gaining explicit consent to use the data given for a specific purpose
- That you make it clear to the individual how they can withdraw their consent should they need to
Update your IT security
Running a salon, it’s easy to overlook IT as having much of an impact on your business. Yet if you keep your customer records in a spreadsheet or database, if you use mailing lists and email programmes, and if you use tools like laptops and iPads in your business, then yes, IT security is just as important to you as it would be if you ran an office.
Tasks you’ll need to look at here include:
- Ensuring all the personal data you store is fully encrypted. Tech blogs like The Next Web and PC World have lots of advice about encryption tools you can use
- Ensuring you’ve got sufficient anti-virus and anti-malware software installed on your devices
- Creating a secure, off-site back-up of your data so that you can always get data back if it’s lost or stolen. Using cloud backup services may be a good option for you in this instance
Adding an SSL certificate to your website to ensure that any data customers send to you via contact or payment forms is fully encrypted.
Train & educate your staff on GDPR
At its heart, GDPR is all about ensuring individuals’ data is safe and well protected against a potential breach. Yet even if you employ some super IT guru to install the latest cutting-edge security tools on your laptop, there’s always the chance that one wrong click of a mouse from one of your staff could land you in hot water.
In fact, statistics released by the ICO show that four out of the five top causes of data breaches are all down to human error. With that in mind, now’s a good time to ensure that anyone working in your salon is fully informed as to how GDPR impacts their work and what they need to be doing in order to ensure your business remains compliant.
Create your privacy notice
A privacy notice can be a straightforward document that outlines some key details about the way you process data. At a minimum, it should include:
- The name of your business
- The reasons you collect data
- What lawful basis you have to collect that data
- Who that data will be shared with (such as employees or suppliers) and what grounds you have to share it
Prepare how you’ll respond to data requests or breaches
Your privacy notice should also inform people of their personal data rights, such as the right to request a copy of the information you hold about them or the right to have that information deleted. With that in mind, it pays to prepare for such requests in advance.
If a customer asks to see the data you hold about them, would you know how to get them a copy in a format that’s suitable for them? On a related note, it pays to be prepared for the worst possible eventuality:
A data breach.
GDPR states that if such a breach occurs, you need to report it to the relevant authority (in this case, the ICO) within the first 72 hours of discovering the breach. Ideally, however, it’s always better to report it within the first 24 hours. As you go through your salon’s GDPR compliance checklist then, ensure that you’d know how to identify a data breach and how you’d handle it should one occur.
How has GDPR affected your salon business? What’s been the biggest challenge you’ve faced in ensuring you’re fully compliant with the new GDPR protection law? Share your experiences with us and other salon owners through Facebook and Twitter.