There are just 2 months left until GDPR Day (May 25th 2018), so are you ready?
Yes? Well done you!
If not, it’s time to drag your head out of the sand because I’m guessing the last thing you want to risk is a 4% of your annual turnover fine – just because you didn’t have the time to figure it out, or found the whole thing confusing and over-whelming.
These are the top 8 things you need to action RIGHT NOW:
1. Choose and appoint a Data Protection Guru for your salon
This could be you, your salon manager or perhaps a brilliant Front of House who’s ready to step up. This person will be responsible for making sure you meet the rules and ensuring the whole team are up to speed on what they need to do to look after their clients’ records. They will also need to deal with any client data requests (see point 6).
2. Do a thorough audit of your current data collection
You’re probably collecting client information at the reception desk when clients first visit, but what about email addresses on your website, or over the phone? And then how and why do you use that info?
Make a list of:
– what data you are collecting (remember this could be for marketing purposes or it could be information about their skin tests and colour formulas)
– where you are collecting the data (online? In salon? Over the phone?)
– how you store that data (e.g. is it manual records, or do the people who manage your data for you (e.g. your online booking software, app provider, e-newsletter provider)
– how long you keep the data
– what you do with that data – from marketing messages, including texts, birthday messages and offers, to using it to provide the best possible service at future appointments.
Next have a think about whether this works for you and your clients? Is there anything that feels intrusive or that oversteps the line. For example, if you’re currently contacting clients years after they stopped visiting your salon, that could be seen as an intrusion.
3. Make sure you ask your clients’ permission to contact them
If your clients currently fill out their details on a welcome form when they first visit your salon, make sure that form contains a marketing opt-in that clearly states HOW you will be contacting them (you’ll need to keep some documentation of this form, including when it was filled out).
Got a newsletter sign-up, or first visit offer that requires an email address on your website? You’ll need to add a marketing consent box – that clearly states why and how you will contact them – to this page too.
4. Check in with your Data Processors
Data Processors are the companies that handle your data for you (it could be your online booking system, the company you use to send your emails, the marketing company you work with and/or anyone else who handles your clients’ data). Under new rules they also have responsibility for the data, but it’s up to you (the Data Controller) to outline how.
You need to know:
– Can we give clients the opportunity to opt out of all of our messages?
– Can we record exactly when and how we asked for permission to use their data?
– Can we remove some of a client’s data from our records? Can we remove a client from our records?
– Can we easily provide documentation of what information we have about our clients?
If the answer to any of the above is no, or you can’t get clarification you may need to consider finding a provider who can.
6. Have a plan to respond to client requests
From May 25th, your clients will be able to ask what information you have about them (this is called a Subject Access Request) and you’ll be required to give them this information free of charge, within one month. This may seem unlikely, but if it does happen and you aren’t ready, you’ll be in breach of the rules – and I don’t need to remind you about the potentially hefty fines for data breaches.
Clients can ask you to update any incorrect records, be removed from any profile groups you’ve added them to, or have their information removed from your records – so you need to know that you can do these things.
7. Make sure your salon’s security is safe and secure
At the most basic level, your client records need to be kept safe and secure (good old-fashioned lock and key perhaps!) and should not be identifiable if there is a breach (so have a think what info you are keeping on those records).
Records containing personal data that are stored on your salon’s computer should be encrypted (it might sound complicated, but it’s actually much easier than you might think) and make sure that any client information you share with anyone is password protected (again, easier than you may think!).
8. Consider your policy for child clients
Children under the age of 16 will need to have parental consent too, so you need to create a plan to obtain consent from a parent or guardian before you start to store their data, or market your services to them.
BONUS POINT 9. Don’t get sucked in to scams
There are companies selling GDPR certificates and badges to go on your website. Right now that is NOT a requirement of GDPR. If you’re approached by a company and they have a clear strategy to get you ready for the new regulation, that’s great, but please don’t be fooled by the badge.
You may have heard that you can use Legitimate Interests to let the whole thing pass you by and carry on as you are. You may be able to use this approach for direct marketing (by post of landline), but email and SMS marketing will need stricter e-privacy consent.
If you are planning on using Legitimate Interests, you still need to carry out a thorough audit to confirm that your usage of client data is what your clients would reasonably expect, make it clear to your clients that you are using this approach (both in the salon and on your online privacy statement) and give them an opportunity to raise an objection.
Still confused? If you’d like to talk it through in a little more detail or want a helping hand to work through these steps, drop an email to firstname.lastname@example.org to schedule a 15 minute call.