Previous Lesson

Data Protection GDPR

Data Protection:

The Data Protection Act 1984states all information taken from the client must remain at all times private and not disclosed or discussed with anyone else apart from the client

The Data Protection Act requires client information be used by the therapist only and not given to anyone else without the client’s permission. Client information and any notes you keep must be secure in an area where no-one else will have access to them, i.e. in a locked drawer or password protected area if kept on a computer. Clients have the right to ask to see personal data you hold on them.

It only seems like five minutes since the General Data Protection Regulation (GDPR) came into force across the European Union (EU), sending countless business owners into a mad panic about the way they manage sensitive personal data about their customers and employees. Yet here we are, months down the line and still, many of those businesses haven’t yet taken the necessary steps to ensure they’re compliant with what is often referred to as the biggest change in data protection laws for 20 years.

If you’re one of them, don’t worry, we get it.

Between looking after your customers, managing staff and taking care of the thousands of little tasks that come as part and parcel of running your own salon business, you’ve got enough on your plate without worrying about privacy policies and fair processing notices.

So it’s understandable, sure, but that doesn’t mean you should risk leaving your GDPR duties much longer. The fines for non-compliance can be pretty severe, and the Information Commissioner’s Office (the organisation responsible for overseeing GDPR in the UK) isn’t playing around when it comes to dishing those fines out when they need to.

That’s the bad news. Now, here’s the good news: even months after GDPR came into effect, it’s still not too late to ensure your salon is fully compliant. Better yet, doing so doesn’t have to be half as long, or half as complicated as it might first seem.

Here, we’ve put together your complete, easy-to-follow GDPR compliance checklist for salons, looking at everything you need to know to ensure you’re bang up-to-date with the new law. Before we get into that, however, let’s take a moment to address some of the major concerns raised by the salon owners we’ve chatted to about GDPR.

I was already complying with the Data Protection Act – why do I need to bother with GDPR?

When the Data Protection Act (DPA) 1998 first came into force back in the late ’90s, it was perfectly good enough for that time period. 20 years down the line and things have changed dramatically. The way we collect, use and manage data is drastically different than it was back in the 90s, which means the DPA isn’t really fit for purpose any more.

The same applies to similar data protection laws in other EU member states. That’s why GDPR was created in the first place.

It’s designed to make data protection law relevant and appropriate for the modern digital age by replacing outdated legislation like the DPA. In other words, the 1998 version of the Data Protection Act as you once knew it is no longer the legislation that governs data protection in this country, which is why you need to ensure your salon is GDPR compliant.

That said, you don’t necessarily have to start from scratch.

If you were already taking steps to ensure your business was compliant with the DPA, then you’ve already done much of the hard work needed to ensure you’re compliant with GDPR. Still, that doesn’t mean you can afford to ignore GDPR altogether. There are still some differences, and it’s important to pay attention to them if you’re to keep the Information Commissioner’s Office (ICO) from showing up at your salon with a nasty fine.

Brexit is happening next year: Won’t that make all of this redundant?

No, it won’t. In the United Kingdom, GDPR is enforced by an updated Data Protection Act 2018. That mainly mirrors what’s in GDPR, and will continue to be the governing data protection law once we finally pack our bags and ship out of the EU next March.

So, if you’re going to keep your business in the ICO’s good books, you’ll need to tackle your GDPR tasks now and keep that level of compliance even after Brexit.

Okay, so what do I need to do create a GDPR-compliant salon?

Though it can seem like a lot, working your way through this simple GDPR checklist is the easiest way to ensure you’re sticking to the rules.

Take inventory of your data:

Just as you probably take stock of your essential supplies and any products you might sell in your salon, the ICO encourages you to also take stock of all the data you currently hold.

That means data not only relating to your clients, but also to employees, suppliers, and anyone else relating to your business.

As you go about creating this inventory, you’ll need to assess your data and determine whether or not you really need to keep it, and if you’re legally allowed to store it.

Some questions you’ll need to ask include:

  • What kinds of information do we collect and store?
  • Are we collecting and storing it only for a valid reason?
  • Are we keeping that information only for as long as is really necessary?
  • Are we doing enough to ensure that the information we store can only be accessed by people who need to access it to do their jobs?
  • Are we doing enough to ensure that the information is only being used for its intended purpose?
  • Do we share this information with any third parties? If so, why? Should we still be doing this?

Doing this will help you determine exactly what you’re allowed to keep and what you should be looking to get rid of.

It will also prove to be highly effective in ensuring that when you do store and collect any data, it’s done so in accordance with GDPR.

All of the remaining items on this checklist should be applied to any and all types of data that you process.

Understand lawful basis

The concept of “Lawful Basis” is the very foundation upon which GDPR is built. It basically means that you’re only allowed to collect and process any and all kinds of personal data if you can prove that you have a lawful reason to do so.

The regulation lists six different kinds of lawful basis that you can use. These are:

Consent: The data subject has given you consent to use their data for a specific purpose

Contract: You need to use the data to fulfil a specific part of a contract agreement

Legal obligation: You need to process data to comply with the law

Legitimate interest: You need to process data in order to perform a legitimate function for your business

Public task: You need to process data in order to carry out an official public duty

Vital interest: You need to process data to save or protect a person’s life.

To be honest, as a salon owner, most of these aren’t going to apply to you. Public task, for example, is primarily about using data in a governmental agency. For your business, the one lawful basis that is most applicable is that of consent.

Check & update the way you gain consent

For the purposes of GDPR compliance, consent means that you can use a person’s data only for the purposes that they have given you their express consent for. This also relates to any information that you’ve collected before GDPR came into play.

For example, if you collect a customer’s email address or telephone number when they book an appointment, you could claim that the lawful basis for collecting that data is that of Legitimate Interest if you use it to send a confirmation or an appointment reminder. However, you can’t then simply decide to add that customer’s details to your marketing list so you can send them your latest special offers.

This is unlikely to be considered a legitimate interest, and would instead need you to gain the person’s express consent to use their data for that purpose. If you’re ever in doubt about which lawful basis to use when collecting data, consent is typically the best one to go for as it makes it absolutely clear that you have outright consent to use data for a specific purpose.

With that in mind, now is the time to look at the way you gather data and ensure that where you are using consent, you’re doing so in accordance with three rules:

  • That you’re obtaining the data fairly
  • That you’re gaining explicit consent to use the data given for a specific purpose
  • That you make it clear to the individual how they can withdraw their consent should they need to

 

Update your IT security:

Running a salon, it’s easy to overlook IT as having much of an impact on your business. Yet if you keep your customer records in a spreadsheet or database, if you use mailing lists and email programmes, and if you use tools like laptops and iPads in your business, then yes, IT security is just as important to you as it would be if you ran an office.

Tasks you’ll need to look at here include:

  • Ensuring all the personal data you store is fully encrypted. Tech blogs like The Next Web and PC World have lots of advice about encryption tools you can use
  • Ensuring you’ve got sufficient anti-virus and anti-malware software installed on your devices
  • Creating a secure, off-site back-up of your data so that you can always get data back if it’s lost or stolen. Using cloud backup services may be a good option for you in this instance

Adding an SSL certificate to your website to ensure that any data customers send to you via contact or payment forms is fully encrypted.

Train & educate your staff on GDPR:

At its heart, GDPR is all about ensuring individuals’ data is safe and well protected against a potential breach. Yet even if you employ some super IT guru to install the latest cutting-edge security tools on your laptop, there’s always the chance that one wrong click of a mouse from one of your staff could land you in hot water.

In fact, statistics released by the ICO show that four out of five top causes of data breeches are all down to human error. With that in mind, now’s a good time to ensure that anyone working in your salon is fully informed as to how GDPR impacts their work and what they need to be doing in order to ensure your business remains compliant. 

Create your privacy notice

A privacy notice can be a straightforward document that outlines some key details about the way you process data. At a minimum, it should include:

  • The name of your business
  • The reasons you collect data
  • What lawful basis you have to collect that data
  • Who that data will be shared with (such as employees or suppliers) and what grounds you have to share it

Prepare how you’ll respond to data requests or breaches:

Your privacy notice should also inform people of their personal data rights, such as the right to request a copy of the information you hold about them or the right to have that information deleted. With that in mind, it pays to prepare for such requests in advance.

If a customer asks to see the data you hold about them, would you know how to get them a copy in a format that’s suitable for them? On a related note, it pays to be prepared for the worst possible eventuality:

A data breach:

GDPR states that if such a breach occurs, you need to report it to the relevant authority (in this case, the ICO) within the first 72 hours of discovering the breach. Ideally, however, it’s always better to report it within the first 24 hours. As you go through your salon’s GDPR compliance checklist then, ensure that you’d know how to identify a data breach and how you’d handle it should one occur.

Example of a GDPR Privacy Notice

(Why we collect your personal data and what is done with it)

When you supply your personal data to (salon name) they are stored and processed for the below reasons:

  • We need to collect some personal information about you and your health in order to make sure there are no contraindications to your treatment, and legal requirements. You can of course, refuse to provide the information, however unfortunately we would have to refuse your treatment as this form is a legal requirement for our insurance.
  • Provided we have your consent we may occasionally send you emails with our latest News and offers.
  • We have a legal obligation to retain your records for seven years after your most recent appointment. After this time your records will be destroyed in a method compliant with GDPR.
  • Records retained on paper, which is locked in a cabinet within the salon, is only accessible by staff of (salon name)
  • Records recorded on the salon’s software, which is password protected and only accessible by staff of (salon name)
  • Your phone number and email may be used electronically, with your permission. This is for appointment reminders or occasional offers.
  • If you wish to contact us via social media, this is password protected but for historic issues with privacy associated with social media sites, you may wish to think about what you send us.
  • This website may, from time to time, provide links to other websites. (salon name) has no control over such websites and is no way responsible for the content thereof. This policy does not extend to your use of such websites. Users are advised to read the privacy policy or statement of other websites prior to using them.
  • We will never share your data with anyone who does not need access without your consent. Only the Manager and Staff of (salon name) will have access to your data.
  • You have the right to see what personal data of yours we hold and you can also ask the Owner of (salon name) to correct any factual errors. Provided the legal minimum period has elapsed, you may also ask the business to erase your records.
  • We would like you to be absolutely confident that we treat your personal data responsibly and that we do everything we can to make sure that only people who can access that data have a genuine need to. Of course if you feel we have mishandled your data in some way, you have the right to make a formal complaint.

Sample Privacy policy form

  • Tony Hairdressing Privacy Notice

 

  • Introduction

The following privacy notice outlines how Tony Hairdressing collects, uses, protects and transfers your personal data. Tony Hairdressing is a salon that provides services including Cut and Blow Dry, Blow Dry, Blow Dry (Course of 6), Wet Cutting, Gents Wet Cutting, Highlights, Half Head Highlights, Full Head Colour, Ombré/Balayage, Colour Change and hair treatments (Repair, Smooth, Colour, Anti-Hairloss).

  • The data protection officer/data owner for the organisation is J Bloggs. You can contact the data protection officer/data owner by sending an email to info@………..

  • Personal data collected
  • The personal data that we collect is:

Name
• Home address
• Email Address
• Date of Birth
• Phone number
• Health information

  • Purpose and Legal Basis for Processing Your Data
  • Tony Hairdressing takes your privacy seriously and we will never sell or rent your personal data to any third-party. Sharing of your data and direct marketing activities are only carried out with your express consent, which you are free to withdraw at any time.
  • We need to obtain and process your personal data to provide you with our products, services and treatments and to fulfil our business and legal obligations. We will never collect any personal information from you that we do not need or retain any data that is no longer necessary for the purposes specified in this notice.
  • Where we request sensitive personal data from you (i.e. health or medical data), the reason(s) for the request will be clearly given along with the purposes of the processing. Explicit consent through a signature will always be required for us to obtain and process your health information.

  • Who is processing my data?
  • Tony Hairdressing, are the data controller and processes your personal information for the purposes laid out in this privacy notice. ????/ if you use a company, add their details here, acts as data processor on behalf of Tony Hairdressing and have access to personal information only in cases that customer support or troubleshooting is required by Tony Hairdressing. Further, they must process the personal information in accordance with this Privacy Notice and as permitted by applicable data protection laws.
  • Your personal data is processed to:
  • Collect specific personal data (name, address, email, contact number, DOB) that is required to enter into a contract to sell a product or service.
    • Engage in communication with you including confirmation and reminders of appointments, and requests to cancel or change bookings.
  • Collect Health information to perform the agreed services appropriately, and potentially highlight areas that products and services may cause issues to clients because of their health. • Ensure a safe service and provide industry standard advice.
    • Select relevant offers, promotions and information for you.
    • Estimate the number of customers we have.
    • Hold personal data that is required by law or to respond to legal process.
    • Hold for insurance purposes.
    • Store customer records.

 

  • Your rights as the individual
  • If your personal data is held by Tony Hairdressing you hold particular rights over it.
  • Where you have provided consent for us to contact you as part of our marketing services, you have the right to modify or withdraw your consent at any time by using the unsubscribe option accompanied with all of our direct marketing or by contacting the Tony Hairdressing Data Officer.

  • You also have the right:
  • To be informed of how your personal data will be used before it is collected.
    • To access your personal data personal data and to information on how your information is used after it has been gathered.
    • To have personal data corrected if it is incomplete, inaccurate or out-of-date.
    • To request the removal or deletion of personal data where there is no compelling reason for its continued processing.
    • To restrict processing, to ‘block’ processing of your personal data.
    • To data portability, having your data moved, copied or transferred from     Tony Hairdressing to another organisation in an easily readable format.
    • To object to direct marketing from us.

 

  • Special categories of personal data collected
  • Health questions are asked in many of our consent forms to potentially highlight treatments that may have a negative effect on your health due to medication you are taking or a condition you have. Tony Hairdressing asks for consent prior to gathering and processing this information. At any time after giving consent, you can withdraw you consent, subject to legal, insurance and contractual restrictions (see more on ‘your rights as an individual’). Your privacy is very important to us and we only use this information for determining your suitability for the treatment.

  • Process of collection
  • Your personal data is collected when you provide it to us through Phorest software, our website, over the phone, in Tony Hairdressing salons, by email, social media, in writing or any other means by which you provide it to us. Information is stored using the Phorest software platform as well as some level of paper record keeping.
  • Tony Hairdressing gives you access to information about your account and bookings through Phorest software, for the limited purpose of viewing and updating that information.

  • Children’s Privacy
  • Tony Hairdressing does not collect the personal data of children under the age of 16 without parental or guardian consent. If you believe that we hold any information from or about a child under age 16, please contact Tony Hairdressing and if we cannot immediately obtain appropriate parental or guardian consent, will remove the personal data from storage.

  • Data Sharing
  • Your personal data is shared only with Phorest representatives in cases that customer support and troubleshooting is required for the salon. Tony Hairdressing do not share your personal information with any third-party without your prior consent, other than those already disclosed in this privacy notice or as part of our legal obligations under the relevant data protection laws.

  • Use of Data Processors
  • Data processors are third parties who provide some elements of our business services for us. Where we use a third-party, we have strict agreements in place governing the processing of your personal data, on which no action can be taken without instruction from us. The third- parties with whom we work will never share or disclose your personal information and will hold it securely at all times.

  • Phorest
  • Tony Hairdressing use software provided by Phorest to manage appointments.
  • Here is a link to their Privacy Notice: https://www.phorest.com/privacy-notice

  • How Long Do We Keep Your Data?
  • Tony Hairdressing retains your personal data for as long as necessary to provide you with our services as our client. Tony Hairdressing are required under tax laws to keep your personal data for a minimum of 7 years. Health and Safety records will be retained for 10 years and where we have your consent for marketing purposes, we will retain the minimum required data until you notify us that you no longer wish to receive such information.
  • The criteria for which we would continue to process your personal information includes:
  • Where there is a legal basis, obligation or legitimate interest to continuing processing your personal information
    • Where processing is necessary for the establishment, exercise or defence of legal claims

  • Transfers of personal information
  • When your personal data is processed through Phorest software, all of it is held within the EU. Your information is processed by the Phorest software and stored in the Amazon Web Services cloud. During this process your data is encrypted in transit and at rest.

  • Consequences of not providing your personal information to Tony Hairdressing
  • In the event that you want to purchase a product or service from Tony Hairdressing, certain personal information is required to enter into a contract with you. Tony Hairdressing will not be able to enter into a contract with you to fulfil an attempt to purchase a product or service if you do not provide your personal information.
  • As noted in this privacy statement, we are processing your personal data to comply with legal and statutory obligations and in the performance of a contract. You can always choose not to provide personal information; however, we will be unable to provide certain products, services and treatments in these instances.

  • Safeguarding your Personal Data
  • Appropriate measures are taken to protect your personal data from access from unauthorized persons or inappropriate access, internal or external. Your connection to the Phorest system uses a HTTP Secure communication protocol and TLS security. This means all information passed to the Phorest system is encrypted during data input and transfer to the cloud. Any paper files recording your personal data are held in a locked filing cabinet or safe which can only be accessed by authorised personnel in the salon. Employees are only assigned specific access rights and can only access the salon software with the PIN number assigned to them by the management of the salon.

  • Complaints
  • In the occurrence that you want to make a complaint about how your personal data was gathered, how it is being processed by Tony Hairdressing (or third parties used by Tony Hairdressing) or you are not satisfied about how a complaint has been handled, you retain the right to lodge a complaint directly with the supervisory authority and Tony Hairdressing and also the Tony Hairdressing Data Protection Officer/GDPR Owner.
  • Data Protection Commissioner, Information Commissioner’s Office, Wycliffe House, Water Lane, Wilmslow, Cheshire, SK9 5AF
    +44 (0) 303 123 1113
  • Tony Hairdressing Data Protection Officer/GDPR Owner
    Tony Hairdressing, 1 The Street, Any place, AA1 1AA

It is possible to register on the ICO for £35 per month, however this is not required:

https://ico.org.uk/for-organisations/resources-and-support/data-protection-self-assessment/assessment-for-small-business-owners-and-sole-traders/

Client Confidentiality

Confidentiality is an important part of the therapeutic relationship between a client and a therapist. Whilst carrying out a consultation it is important for you to stress that all personal information relating to the client will remain completely confidential, and that information will not disclosed to a third party without the client’s written consent.

 

You can help maintain client confidentiality by:

 

  • Carrying out the consultation in private, or as privately as possible

 

  • Ensuring that all consultation and treatment records are stored in a secure place and never left lying around

 

  • Never discussing a client’s personal details or their treatment with another person