What GDPR means for my beauty salon

What GDPR means for my beauty salon

As if life wasn’t challenging enough juggling columns and cash flows; spa and salon owners now have a new four letter word to reckon with – GDPR.

May 25, 2018, is the date the European General Data Protection Regulation (GDPR) comes into force and it affects companies and organisations Europe-wide regardless of Brexit.

According to the EU’s GDPR website, this new legislation “was designed to harmonise data privacy laws across Europe, to protect and empower all EU citizens’ data privacy, and to reshape the way organisations across the region approach data privacy”.

To be compliant, you need to review your systems and processes to insure you’re holding clients’ information safely and that you are not collecting information that you do not actually need to use for the treatments being carried out, such as how much the client earns.

For salon purposes, personal data is any information related to the client, for example, their name, date of birth, address and medical details. A phone number or photograph that can identify an individual is also considered personal data.

Medical details, such as skin conditions and medication, constitutes sensitive personal data and additional care must be taken when processing it.

Having an online system which allows access via PIN numbers will make GDPR compliance much simpler, as all access to client forms and data will need to be logged with a date and time, along with the name of the individual who has had access.

These will need to be stored safely in a locked cabinet. Needless to say, an abundance of space and time is needed for the traditional pen and paper method of storing information.

Under this new legislation, a client is entitled to ask for a Subject Access Request (SAR) from your spa or salon in which they can have access to all held information on them free of charge within 30 days. If you think this request has no merit, you can refuse to comply explaining your reasons, letting the client know that they can complain to the regulator.

As there is quite a lot to do to become compliant, you should seek advice and become compliant as soon as possible, not leaving it until the May 25 deadline, especially as any data breaches such as cyber-attacks and accidental leaks must be reported to authorities within 72 hours.

The fine for non-compliance of GDPR is up to 4% of your annual revenue up to a maximum of €20 million. So, it’s vital for your staff to understand the financial and reputational consequences that may occur because of its mishandling.

Tima Reshad is owner of Coco Nail Bar in London's Portobello Road, which won Nail Salon of the Year at the Professional Beauty Awards 2018. The salon also won this award in 2014 and 2015.

More handy GDPR information…