Perhaps you’ve heard about a new law coming into effect in about a year’s time: the new Data Protection Act 2018. When it comes to protecting your client details, implementing good habits today can only be beneficial in the future. So, let’s get ready: first things first, put the kettle on.
Any information you hold and that relates to a client/customer.
Any person, or company with no connection to you or the client/customer.
Commonly referred to as the New Data Protection Act, the GRPR aims to give consumers within the EU greater control over how their personal data is used. It has been announced that for Ireland for instance, “the main law dealing with data protection legislation is the Data Protection Act 1988, which was amended by the Data Protection (Amendment) Act 2003. These will both be replaced by the GDPR.”
The biggest impact of this law on your salon or spa is the right to retain information on clients/customers that could enable them to be identified by third parties. If you fail to respect and protect your clients’ details, it could cost you 4% of your annual turnover. More, you – your salon or spa – could then be fined per breach, even if you – the salon owner – may not have committed the violation. Your staff or a hacker could have.
The right to keep retain information on customers who freely provide you with such details places a responsibility on your business and any provider to:
How much do you know about your salon’s database?
First things first, you will need to inform your employees about this new law. Now, when they are gathering client details – in person or online – they will need to notify the customer of your identity (salon/spa), your reasons for collecting the data, the use(s) it will be put to and to who it will be disclosed.
If you use consent when you record client details, the ways you seek, obtain and record that consent, and whether you need to make any changes should be reviewed. Consent must be ‘freely given, specific, informed and unambiguous.’
Essentially, your customer cannot be forced into consent, or be unaware that they are consenting to the processing of their personal data. Obtaining consent requires a positive indication of agreement – it cannot be inferred from silence, pre-ticked boxes or inactivity. Your client is entitled to have access to their information, have inaccuracies corrected, information erased, to object to direct marketing and to restrict the processing of their information including automated decision-making.
Any client who requests access to their information should have a response within the 30 days. You may look for a fee for the administration costs. You should also be aware the if your files have inaccurate information, you will have to explain why. However, y ou do have a right to refuse some information. This you can do w hen a request is deemed manifestly unfounded or excessive. However, your salon or spa will need to have clear refusal policies and procedures in place and demonstrate why the request meets these criteria.
You are entitled to engage third parties for legitimate purposes, such as Payroll, Software providers, HR Companies, Accountants and Solicitors to work with you and get involved in your data. However, you must have a clear policy on the matter and ensure your customer is aware.
If you need to dispose of data, the new Data Protection Act requires that you show the disposal was controlled. If it is IT, get your IT people to confirm that your deleted files are indeed deleted and cannot be recovered. Working on paper files? You will need to have them shredded. You could hire a company that will shred the documents for you, in front of you and give you a certification to that effect.
It might seem like a lot to take in all at once, but take it one step at the time. After all, you’ve still got loads of time to prepare. Better be safe than sorry!
