Will GDPR affect your salon or barbershop?
GDPR is going to change the way your salon or barbershop handles data. Find out how to prepare your business for the looming May deadline
You handle a lot of personal data every day. You might not realise it but a customer’s phone number or an employee’s home address is personal data.
But a new law will affect how you store this information. The General Data Protection Regulation (GDPR) is coming in on 25 May 2018, and it will have a big impact on how you collect data and process it.
If you’re not ready for GDPR, you could face a maximum penalty of either €20 million or 4% of your annual turnover, whichever is greater.
And while it’s unlikely that you’ll face such a hefty fine, just imagine the impact of losing £20,000 or even £2,000 on your business. You might have to let staff go or cut down on the amount of supplies you order—so it’s not worth the risk.
Here’s what’s changing under GDPR and how you can start preparing your business now.
Review the data you hold
You should start by reviewing the personal information that you store on customers, such as their full names, phone numbers and email addresses.
Document what the data is, where it came from and if you share it with anyone. Make a separate list of any customers who are under 16, as you might need to get a parent or guardian’s consent to hold their personal data.
You shouldn’t overlook the data that you hold on your staff either. You might not realise it, but you store a lot of your staff’s personal information such as their job application and next of kin. Review this data in the same way that you did for your customers.
Check that you’ve got explicit consent
As a salon or barbershop owner, you’re likely to message your customers a lot. You might send automated appointment reminders or monthly emails with special offers.
But you can no longer assume that your customers are happy for you to contact them.
Under GDPR, your customers must give you explicit consent through a positive opt-in. This means you can’t use pre-ticked boxes or any method that assumes a person gives you consent.
Look at how you ask for and record consent, and decide whether you need to change this.
Know individuals’ rights
GDPR gives people more control over their data.
A person now has a ‘right to be forgotten’. This means that your customers or staff can ask you to delete their information if you don’t have a good reason to store it anymore.
Not only that, but GDPR gives people the right to know what information you hold about them. The Information Commissioner’s Office calls this their ‘right to access’.
If a customer or member of staff asks to know what information you hold on them, you must give this free of charge and within one month.
Worried that you’re not ready for GDPR? Visit our GDPR info centre to download our compliance checklist.