Skip to the content

Back to Business Hub
Are you GDPR ready?

Are you GDPR ready?

What is GDPR?

GDPR stands for General Data Protection Regulations that are coming into force on the 25th May this year. In simplest form the new regulations impact the way you contact your customers and the consents you have to do so.

Most businesses will be impacted and for salons, there is no way around the fact that customer data is handled on a day-to-day basis. From client and team records, contact details, children’s names, allergy and colour test results and medical information; all this data needs to be handled in the correct way, as well as have the right consents attached to it. I.e. you have to be able to show that your customers have given you their specific consent to hold their data or to be contacted for marketing purposes. This includes appointment reminders and offers.

Unfortunately, none of us can escape from the upcoming changes in regulations. If you fail to comply you may suffer hefty fines from the Information Commisioner's Office (ICO) and they are not averse to naming and shaming companies who fail to comply.

There are eight key data principles to be considered:

1. Fair and lawful processing

2. Obtained for one or more specified and lawful purposes

3. Adequate, relevant and not excessive

4. Accurate and up to date

5. Not kept longer than necessary

6. Processed in accordance with rights of data subjects

7. Measures to be taken against unauthorized or unlawful processing and against accidental loss, destruction or damage of personal data

8. Not transferred outside EEA unless adequate level of protection for rights and freedoms of data subjects

What do you need to think about as a salon owner or manager?

Firstly, think about if you carry out any of the below?

• Email or text clients
• Store information about clients – on paper or computer, tablet etc.
• Monitor your salon with CCTV
• Store CVs
• Hold next of kin or passport/ID details for team members 
• Have online booking 
• Collect details for users of your salon WiFi 
• Hold information on any customers aged under 16

What are your processes or policies for carrying out such activities? Do you need to change these? How did you get this data? Do you have the right to use your current data? How do you store this data? Is this data secure?

Requirement One

Following a review, create or adapt your privacy policy to clarify ways in which you hold and use data, where it is stored and how long it is stored for. Plus, how someone can withdraw their details upon their request.

Not sure where to start?

Visit here for some starting points.

In a recent article in Creative HEAD Julie Hensman from Hensmans explains:

Our privacy policy explains why we hold their data and what it will be used for: colour records, text appointment reminders and for those agreeing to receive promotional material, a monthly newsletter and birthday and Christmas cards.”

Do not assume a client is OK for you to use their details in a certain way. You need to write exactly what the data will be used for.

Requirement Two

Remove any 'old' data i.e. any data you don’t use or need anymore. How long you keep your current and any new data must be in your revised privacy policy. If you have hard copies of old data you are disposing of ensure you shred any personal information.

Requirement Three

Define an age of consent, where a person no longer needs their parent or guardian’s permission to receive services and/or marketing. This is usually 16 years old. You should review the list of children's data you hold and apply the same changes to your porcesses and policies as with adult data, but you will need the parent's consent.

Requirement Four

Get in touch with your customers before the 25th May to request their consent to hold their data or to allow them to opt-out. For those who opt-in, use this as an opportunity to check their details and preferences are correct. This also gives clients a very open opportunity to object to their data being used and you cannot use their data unless they opt-in. The easiest way to contact clients before the deadline is email but bear in mind you must be able to prove record of this consent or be able to control removing/ unsubscribing clients who do not wish to be contacted.

Requirement Five

Enable any additional client opt-ins and permissions. For example, to hold medical information you must have a client’s permission first. Some salon software providers are introducing functions to hold this information separately to keep it more secure from a client’s general records.

Requirement Six

Give your clients the ‘right to be forgotten’. This is essentially, removing all of a client’s data from your records and systems.

Requirement Seven

Be prepared for data requests. With the change in regulations it is likely you may get some clients asking for what data you hold on them. You have 30 days to provide this. Can you do this? Can your salon software company help you to do this?

Requirement Eight

Track all of your data changes and keep record of those amends.

Finally, remember to keep your team informed of your processes and policies as they are the ones that will have to adhere to them and be able to communicate any such policies to clients, should they ask.

All this information can be overwhelming.

However, we would advise speaking to your salon software company as they are likely to have resources regarding the system you use, that will allow you to change processes specific to your salon.

It’s true that the GDPR brings changes to rules around consent, but with the proper practices in place, your marketing shouldn’t be too badly affected.” Royal Mail

Do I need to appoint a Data Protection Officer (DPO)?

For most salons, you shouldn't need to appoint a DPO as you aren't a business that will be handling data on a large scale, such as call centres, emergency services etc.

Learn more about designation of a DPO

Where can you find more information?

Information Commissioner’s Office (ICO)

National Archives

Scroll To Explore