Dave Horton outlines what the new GDPR data protection regulation means for hair and beauty businesses. 

On 25th May 2018, new regulations came into place which effect how you gather, store and use information about your clients. Regardless of the size of your beauty business, and whether you're a sole trader or run a limited company, now is the time to review and amend your procedures so that you comply otherwise you could face significant fines.

Recently you may have received an increase in emails from companies asking you to re-subscribe to their mailing lists or confirm that you would like them to stay in touch with you. This is because the General Data Protection Regulation (GDPR) comes into effect on 25th May 2018 and all businesses need to act – you cannot use ignorance as a defence. Your first port of call should be to visit the Information Commissioner's Office website, where you find full details of the change in legislation, as well as a useful 12-step guide to the GDPR.

The regulation refers to ‘personal data', meaning any information that can be used to identify an individual, directly or indirectly, such as name, email address, photographs, online identifiers such as IP addresses, and any CCTV footage you might gather in your business. It should be noted that the GDPR refers to personal data stored on paper as well as electronically.

Although the GDPR is being introduced to standardise data protection across European Economic Areas, it will be unaffected by Brexit. It's also worth noting that the GDPR is new legislation that is likely to evolve with case law, so keep an eye out for updates from the Information Commissioner's Office as the regulation may change over time.

Which areas of your business might be affected?

In line with the requirements of your insurance policy, you should be carrying out client consultations before every appointment and updating your clients' records regularly afterwards; this information is classed as personal data. As per the policy wording from insurance specialists Zurich, “records should be kept for at least seven years following the last occasion on which treatment was given. In the case of treatment to minors, it is advisable that records should be kept or at least seven years after they reach the age of majority (18).” If the salon is treating minors at all, you'll need to note about the age of majority.

At present, you might also gather clients' data for marketing purposes. If you have a list of contact details for individuals who you write to, email or contact via phone or through an app, whether or not you comply with the GDPR will affect if you can continue to use this information. 

If you have a list of contact details for individuals who you write to, email or contact via phone or through an app, you will need to comply with the GDPR to continue to use this information.

If you employ staff, or offer work experience placements to students, you will also need to ensure that the way that you store their personal data complies with the GDPR.

Prior to 25th May 2018, the DataProtection Act (1998) protects personal data stored on computers or on paper. However, with the increasing use of electronic means of storing data and the potential for breaches, where data is lost or stolen electronically, the GDPR has been devised to protect individuals whose personal data is likely to be stored by hundreds of different companies across Europe.

You need to decide on the lawful basis for which you are processing personal data. There could be more than one reason, and you should have a compliant procedure in place for each:

Contract basis: You and your client are entering into a contract when they agree to purchase a service or product from you, and therefore you can legally process their personal data in order for you to deliver that service or product as long as it is processed and stored in line with the GDPR.

Legitimate basis: You might want to legitimately contact your clients for marketing purposes. You will need to show that the way you use someone's personal data is proportionate, has a minimal privacy impact, and people would not be surprised or likely to object to you contacting them. You will, however, need to comply with Privacy and Electronic Communications Regulations (PECR) where it is necessary to give clients a clear option to opt out when they first consent to give their details and at each time information is sent (i.e. unsubscribe from your mailing list).

Consent basis: A key aspect of the GDPR is how individuals give you consent to process, store or use their personal data, and the right to modify or withdraw this consent. An individual must give a clear affirmation that you can use their data in the way that you intend to.

Permission must be clearly expressed and a record of how and when consent was gathered must be kept. If you are processing personal data of active clients or staff, its accuracy should be checked annually.

If you have a list of contact details for individuals who you write to, email or contact via phone or through an app, you will need to comply with the GDPR to continue to use this information. 

The right to be informed

When an individual gives you their personal data, they must be given a privacy notice which details the purpose of processing their personal data, how long you will retain that personal data for, and who it will be shared with. This is a major change to how you currently process data, so you will need to make sure that you have systems and processes in place for recording that this has happened.

The right to erase information

Under the GDPR, clients will have the right to request that their personal data is deleted or removed from your files where there is no compelling reason for its continued processing, known as a Right of Erasure. You should consider how you will manage such a request. However, there are circumstances where you can refuse this request.

Your client's right to access the information

Individuals have the right under the GDPR to see what information your business holds about them; you must provide this information within one month of it being requested in a format that is understandable. This includes all the data you have on them, including any comments you might make about your clients or members of staff on their electronic or paper records.

Restricting data processing

An individual may give you permission to store their personal data, for example on their client consultation card, but not process or use it any further. You are only allowed to retain enough information to ensure the restriction is respected. 

The security of personal data

You should process personal data securely including protecting it against unauthorised or unlawful processing and against accidental loss, destruction or damage. You should seek technical guidance if you are unsure whether the electronic data you hold is securely stored.

If your business experiences a breach of security which leads to the destruction, loss, alteration, unauthorised disclosure of, or access to, personal data you have a responsibility to report the breach to the Information Commissioner's Office (ICO) within 72 hours. A personal data breach could include access by an unauthorised third party, sending personal data to the wrong recipient, or alteration of personal data without permission. You should have robust breach detection, investigation and internal reporting procedures in place. 

Who is responsible

The GDPR means that a business should be accountable and demonstrate how it is meeting its legal responsibilities; you cannot use ignorance as a defence. Responsibility lies with the Controller and Processor; according to the GDPR Article 4, these roles are as follows:

Controller – “the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data.”

Processor – “a natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller.”

The owner of the business will be considered the Data Controller, whilst any additional members of staff who carry out consultations and record personal data will be considered Data Processors. The Processor could, however, also be a third party such as a company who sends out marketing emails using your data on your behalf. The GDPR Article 28 states that it is the Controller's responsibility to ensure Processors meet the regulation's requirements and the rights of the data subject (in this case your client) are protected; therapists and salon owners must have correctly worded contracts in place with staff or third parties, which outline explicit responsibilities and liabilities as noted by the GDPR.

An individual must give a clear affirmation that you can use their data in the way that you intend to; permission must be clearly expressed and a record of how and when consent was gathered must be kept. 

An individual must give a clear affirmation that you can use their data in the way that you intend to; permission must be clearly expressed and a record of how and when consent was gathered must be kept.

How to comply

In order to ensure that you are complying with the GDPR by 25th May, you should carry out an Information Audit which will help you, as Data Controller, to ascertain what information you already hold, who it is about, where it came from, why you need it, how it is processed, how long you hold it for, and how it is destroyed.

Having a written procedure in place which outlines measures you are taking in relation to data protection issues, such as the provision of staff training and internal audit practices, will enable you to demonstrate how your business is complying.

Insurance specialists Balens have put together a checklist which will help you work through the process:

  • What information do you hold (personal data / sensitive personal data such as medical, criminal records, data relating to children)?
  • Is this data limited to what you need to hold?
  • Where did this information come from (client / staff / purchased database / CCTV footage / websites / social media etc.)?
  • Who has access to this data?
  • Do the data subjects (staff, customers etc.) know you hold this information?
  • Have they given consent for the data to be stored and how is this demonstrated?
  • Can they withdraw their consent for this data to be stored and what is the process for this?
  • Where is the data held (hard files / servers / email / phones / laptops etc.)?
  • In what format is it held in (paper / electronic / voice)?
  • Why is it held?
  • What is it used for?
  • What is the legal / business reason for this data to be held?
  • What processes are in place to ensure inaccuracies in data are updated?
  • Does it move out of the salon or business location (email / hard copy etc.)? If yes, what is the process for this?
  • What are the safe guards regarding third parties' handling of data?
  • When is the data disposed of?
  • How is data disposed of?
  • What training is in place to ensure staff / colleagues understand systems and processes for this data?

Once you have completed the above, you then need to:

  • Determine the lawful basis for processing for your clients' data
  • Produce Privacy Notices for both clients and staff.
  • Ensure you have documented policies for each of the rights of the client, including how you will document if a client exercises any of those rights.
  • Ensure you have contracts in place for Data Processors including staff and third parties.
  • Provide staff with appropriate and comprehensive training on the new legislation, policies and procedures.

Refer to www.ico.org.uk to ensure you have not missed any steps to comply.

Penalties for non-compliance

If you do not comply with the GDPR you are leaving yourself and your business open to administrative fines from the ICO. Fines are discretionary rather than mandatory and based on the specific articles of the GDPR that you have breached. If you are found to have shown no intention of complying with the regulation, the ICO has the power to impose fines of up to €20 million, or 4% of your annual global turnover.

Although implementing procedures to comply with the GDPR may seem daunting, it is likely that, as a responsible business owner, you are already meeting many of the requirements as part of the existing data protection laws. This month take time to review your current procedures, follow the checklist to see if there any new procedures you need to put into place, and most importantly, don't panic. Make a start by visiting the Information Commissioner's Office website where you will find a full package of tools plus the ICO have a dedicated advice line (0303 123 1113) to help small businesses like yours.

Dave Horton is Director of Associated Beauty Therapists (ABT), the industry's leading membership and insurance provider representing over 18,000 clients.

Many thanks to Balens Specialist Insurance Brokers for their assistance in providing information for this article, which is offered as guidance only and is not exhaustive. It does not supersede, amend or negate the provisions of the GDPR or any other applicable data protection legislation. For more detailed or specific guidance please visit ico.org.uk