Still not Prepared for GDPR? Here’s What you Need to do ASAP
The General Data Protection Regulation (GDPR) applies from 25 May (this Friday!). If this has passed you by or you’ve not taken any action yet, there’s no need to panic – but you do need to get started straight away. Here are 10 things you need to do:
1 Check what ‘personal information’ you hold. This is information which can be used to identify a living person, either on its own or in combination eg name and telephone number. Most salons hold personal information on clients and employees. GDPR applies whether the information is held on a computer, on an electronic device like a phone or on paper.
2 Set up a privacy notice to tell clients and employees what personal information you hold, what you do with it, why you’ve got it and who you share it with. Are you holding information you don’t need such as clients who haven’t actually been into your salon for years? If you pass data on to mailing houses, you need an agreement from them to confirm they will protect your data and hold it securely.
3 Set up a process for getting consent from new clients for them to receive marketing messages from you, especially by email. Under GDPR there are 6 lawful reasons for processing personal information. Consent is one of them, and it’s the most important for salons. Clients must be able to opt in, and it must be clear exactly what they are agreeing to.
4 Don’t worry about existing clients. You don’t need to get consent from them if their personal information was collected as part of you providing services, treatments or products to them, and you’re only marketing for similar purposes, and every marketing message includes a clear and easy opt out (an ‘unsubscribe’).
5 Work out if you hold any ‘special category’ data, especially health records or personal information on people under 16 because you will need consent to collect and hold such information. Hair salons should have allergy alert test records for hair colour clients and beauty salons will have consultation records which contain health information to indicate a treatment isn’t suitable for certain clients.
6 Make sure you can easily record who consented to marketing messages, how they consented, which communication methods they consented to and what kind of marketing messages. Your salon software provider should be able to help with this.
7 Make sure you can manage ‘unsubscribes’ so you never send marketing messages to someone who has already told you they don’t want to receive them.
8 Get rid of personal information you no longer need. But before you chuck everything out, bear in mind you need to keep health records for 4 years, finance records for 6 years and employee records for 6 years after they’ve left.
9 Know what rights individuals have, including employees. They have the right to see ALL the information you hold about them, and to have their information corrected or deleted.
10 Make use of the NHF guide on GDPR and template documents (free to members): consent forms for marketing, health records and under 16s; a privacy notice saying what personal information you hold and what you do with it; a data retention policy saying what information you keep and for how long and – because life isn’t perfect! – a process to follow if things go wrong and data is accidentally shared, lost or damaged.
Further information can be found on the Information Commissioner’s Office (ICO) website www.ico.org.uk