General Data Protection Regulation (GDPR)
From the 25th May 2018 new data protection rules came into force across Europe. The General Data Protection Regulation (GDPR) replaces the old Data Protection Act and places several new requirements on you as the salon owner. The rules set out by GDPR must be followed by salons, so they require you to take action.
Every business has different requirements under GDPR. If you would like any further help or advice please don't hesitate to call us.
GDPR relates to all of the personal data that you hold about your clients and staff. This is important in our industry as you have to justify why you hold that information and have to prove you have consent to hold that information. For example do you need to hold the date of birth of that client in order to carry out the service? In some cases the answer to this will be yes but in most cases it will be no. Likewise regarding their home address or other personal data that you may have gathered over the years.
The first step is to carry out an audit of what information you hold, how you collected it and how you store it. Many salons will be able to separate their data into three groups: current clients, marketing clients (lapsed or potential) and staff (current, ex, applicants). Each group will have different information and a different justification for keeping or deleting the data. There are no hard and fast rules, however if you always have in mind that you have to be able to provide a justifiable reason for holding on to the data it is a good start. Once you have carried out audit and have a data register you're then in a much better position to decide what you need to do to comply with the regulations.
It's also important that senior staff are aware of their responsibilities and the businesses responsibilities under GDPR, so it's worth sitting down with your manager and discussing what GDPR means for them and the business.
You may well have heard about the rules surrounding consent. GDPR states that in order for you to hold and use personal data you require consent from that individual. From a marketing point of view explicit consent does present some issues as the number of people that will agree is likely to be relativity low and therefore your marketing will be less effective.
Asking for consent
A checklist from the Information Commissioner to use when asking for consent is below:
- We have checked that consent is the most appropriate lawful basis for processing
- We have made the request for consent prominent and separate from our terms and conditions
- We ask people to positively opt in
- We don’t use pre-ticked boxes or any other type of default consent
- We use clear, plain language that is easy to understand
- We specify why we want the data and what we’re going to do with it
- We give individual (‘granular’) options to consent separately to different purposes and types of processing
- We name our organisation and any third party controllers who will be relying on the consent
- We tell individuals they can withdraw their consent
- We ensure that individuals can refuse to consent without detriment
- We avoid making consent a precondition of a service
- If we offer online services directly to children, we only seek consent if we have age-verification measures (and parental-consent measures for younger children) in place
- We keep a record of when and how we got consent from the individual
- We keep a record of exactly what they were told at the time
However, there is a section within GDPR called 'Legitimate Interest' that indicates that where there is a clear relationship with a paying customer / current client and you require their data to complete the service, you do not require consent. However, how long after the client's last visit is someone a current client, 6 months, 12 months? After this time you will then need consent from the ex-client to keep their data, or will need to delete their information.
Direct marketing by post may also fall within the legitimate interest clause as clients / ex- clients would reasonably expect you to promote products and services to them using basic personal data. However, this has yet to be tested in Court and it may be that you do need consent from these ex-clients in order to continue to market to them.
None of this has been tested in Court yet and legitimate interest is ultimately subjective. There is a risk that your view is not the same as that of the authorities and you'll still need to justify why you hold the particular information.
Skin test information
One of the questions that we've been asked is around allergy information and the results of a skin or scalp test. You require this information to complete the service so it is easy to justify why you need to keep it. However, what if a client declines for you to keep their results on file? In this instance we believe you'd then have to do a new scalp test before every colour application, as you have no written record of the previous test.
Registering with the ICO
If you handle personal data, you may need to register as a data controller with the Information Commissioner’s Office. Registration is a statutory requirement and every organisation that processes personal information must register with the ICO, unless they are exempt. Failure to register is a criminal offence.
If you use an accountant or payroll company to work out your staff's pay then you'll need to have a data processing agreement with them as you need to be sure, as the data controller, that they are also going to comply with GDPR. They should be able to provide you with a copy of this agreement as they will need one with all of their clients.
You’ll also need to consider how long you keep the personal details of ex-members of staff. For example once someone has had their final pay you probably can’t justify keeping their bank details. This is also the case with job applicants as once the decision has been made to appoint someone can you justify keeping the details of the non-successful applicants on file without their consent?
A data breach
GDPR introduces a duty on all organisations to report certain types of personal data breach to the relevant supervisory authority (the information commissioner). You must do this within 72 hours of becoming aware of the breach, where feasible. If the breach is likely to result in a high risk of adversely affecting individuals’ rights and freedoms, you must also inform those individuals without undue delay. You should ensure you have robust breach detection, investigation and internal reporting procedures in place. This will facilitate decision-making about whether or not you need to notify the relevant supervisory authority and the affected individuals. You must also keep a record of any personal data breaches, regardless of whether you are required to notify.
What is a personal data breach?
A personal data breach means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data. This includes breaches that are the result of both accidental and deliberate causes.
Personal data breaches can include:
- Access by an unauthorised third party
- Deliberate or accidental action (or inaction) by a controller or processor
- Sending personal data to an incorrect recipient
- Computing devices containing personal data being lost or stolen
- Alteration of personal data without permission
- Loss of availability of personal data
- Right of Access to data
- Under the GDPR, individuals will have the right to obtain:
- Confirmation that their data is being processed
- Access to their personal data
- Other supplementary information – this largely corresponds to the information that should be provided in a privacy notice
It is unlikely that your clients would make a right of access request; however it is important you're aware that they can and what you need to do if it happened.
- You must provide a copy of the information free of charge. However, you can charge a ‘reasonable fee’ when a request is manifestly unfounded or excessive, particularly if it is repetitive.
- You may also charge a reasonable fee to comply with requests for further copies of the same information. This does not mean that you can charge for all subsequent access requests.
The fee must be based on the administrative cost of providing the information and the information must be provided without delay and at the latest within one month of receipt.
You may well have read or heard about the large fines that can be payable under GDPR which are up to 4% of turnover/ up to €20m/£18m. However, these fines are likely to be for the most serious data breaches.
If you would like to download this fact sheet please click here.
We appreciate that GDPR seems daunting and stressful. Please do give us a call if you’d like to talk through your next steps.