Welcome to the Salon Owner’s Podcast, Phorest FM Episode 75. Co-hosted by Killian Vigna and Zoé Bélisle-Springer, Phorest FM is a weekly show that puts forth a mix of interviews with industry thought-leaders, salon/spa marketing tips, company insights and information on attending Phorest Academy webinars. Phorest FM is produced every Monday morning for your enjoyment with a cup of coffee on your day off.
Phorest FM Episode 75
May 25th. For countries in the EU, this means GDPR has officially come into effect. As of today, mandatory for salons within the EU to collect, house and protect clients’ personal data and information securely, on top of being uber-transparent about how it was collected. On this episode of Phorest FM, Killian and Zoe are joined by one of Phorest Salon Software’s salon business advisors, Niamh Greaney, who will shed light on some last-minute best practices for GDPR compliance and examples of a few real-life “don’t-do’s.”
- Phorest Academy GPDR Webinar
- The Salon Owner’s Guide To Understanding And Preparing For GDPR (eBook)
- Visit salongdpr.com and book an appointment with an advisor to talk about a GDPR compliant salon software solution.
Killian Vigna: Welcome to the Phorest FM podcast episode 75. I’m Killian Vigna.
Zoe Belisle-Springer: And I’m Zoe Belisle-Springer. On this week’s episode, we invite Niamh Greaney back to the show and will focus on last minute practices to help you in the lead up to GDPR coming into effect on May 25th.
Killian Vigna: So, grab yourself a cup of coffee, sit back, relax, and join us weekly for all your salons’ business and marketing needs. Good morning Zoe!
Zoe Belisle-Springer: Good morning Killian.
Killian Vigna: Welcome back from your holidays. Were you off travelling Canada for a while there, were you?
Zoe Belisle-Springer: I was just in my own city. Also went off to Toronto… had a good time, it was very sunny over here. It was nice. Feeling refreshed!
Killian Vigna: We’re getting there, we’re cracking under the good weather. So, speaking of which, May, end of May, coming into countdown. Just a few more days left until I suppose everyone is GDPR compliant. Like you’re probably sick of seeing these emails from any software company or any company you’ve ever signed up for, going: “attention, we need you to confirm consent,” but I suppose even we’ve been doing enough of it ourselves as well where we’ve had quite a bit from the marketing team as well, haven’t we?
Zoe Belisle-Springer: Yeah, here, I mean we’ve done a lot of things related to GDPR. We’ve actually had two episodes of Phorest FM related to this, one with Connor Keppel, the Head of Marketing, and also one with Nichola Sharp from Enhance Beauty. We’ve written an ebook, there’s a website related to this. And we’ve also hosted a few webinars, quite a few webinars actually, and we now have Niamh Greaney here with us on the podcast to talk about more GDPR stuff and maybe things that you haven’t heard about yet!
Killian Vigna: Absolutely no better woman. Welcome to the show, you’ve been talking GDPR flat for how long now?
Niamh Greaney: I don’t know, I would say six months. I literally sleep GDPR. But, no it’s great. It’s actually probably made me more relaxed about it, so hopefully this will help people out a lot without it being extremely overwhelming, so yeah.
Killian Vigna: No only have you been, I suppose, helping clients and stuff over the phone. You’ve actually gone to a few trade shows now, and you’ve even presented this topic as well. So how did they go for you?
Niamh Greaney: They went really well. There was a big mix probably, people were definitely thankful for the help. But I would say there were a lot of people who were shocked that you had to do a lot more than just marketing consent. So obviously, it’s a whole data protection change. So, yeah, there’s a lot to take in, but what we can focus on is how it will affect the salon, which is going to be quite different from other business, some will be the same, but at least it’s going to be salon specific, instead of telling you all this terrifying changes that a massive tech company would need to do.
Killian Vigna: Yeah, because it’s kind of a different regulation. I mean, software, they do have to do a lot more as a processor than I suppose the controller of it. How did you feel, I suppose, was the general reaction, because like we said we only have a few days before GDPR actually kicks in. From the last few shows, how do feel? Are people are prepped for it? Do you feel good? Or there’s still a lot more work to do?
Niamh Greaney: There’s a lot more work. So, anyone who hasn’t done anything, not to worry, no one’s going to come knocking on your door on Friday. But, it is something that you’re going to have to start out in the next couple of weeks, because you don’t want something to end up happening in the salon and you’ve put nothing in place. You do want to show that you’re making an effort. We’ll talk about different policies and procedures that we would advise you to do, but other than that, you just have to go along with exactly what you’re doing now and what you’re good at and not let it take over. The panic zone.
Killian Vigna: So, what does it actually mean then, I suppose, just to get into the basics of it. To actually be GDPR compliant by Friday?
Niamh Greaney: Yeah, so obviously, you can put measures in place to help. Even if a company put loads in place, you they could still act in a non-compliant way. But some of the main things would be… it’s increased responsibilities of the salon, really. And how it affects how you store clients data, and maybe figuring out do you really need to ask some of the questions you ask. And to really get your staff aware of simple things so, you can have one of your employees talk about a client that has been in for a certain service outside the salon. That’s a data breach. So it’s trying to understand it on real terms and not just this terrifying law. So yeah, it’s just definitely going to change things a bit, but not too much I hope.
Zoe Belisle-Springer: You were talking about, you know, to not let the panic settle in and just try and keep moving with it. What to you, are the mandatory things that salon owners have to put in place. At least, the very first ones?
Niamh Greaney: Yeah, I would say number one would be do a data audit. So that’s going to basically, what you’re going to do there is you’re going to figure out why you hold the information on a person, for how long you hold it for, is it stored correctly, do people have… is it accessible for them to change or call you. So it’s really figuring out why you’re storing this information, and why. That would be the first thing. The second thing would be, well understanding what personal data is firstly. So, you collect loads of personal data in a salon. So you collect a name, address, phone number. For you staff members, you’ll collect a PPS number, and health data.
Zoe Belisle-Springer: On that last bit, the training. Does that have to be, for instance, the salon owner who trains the staff, or do you need the staff to go and get external training on GDPR.
Niamh Greaney: It’s probably a bit of a mix, so like obviously, there’s a cost if you get somebody in. So maybe that’s, you know, not what you’re going to do. You could do your training yourselves. You’d probably learn a lot more from getting someone into the salon for a few hours or a day or if you send someone on a course. But if you can’t do that. Things like watching Phorest webinars, reading up about it online. Seeing if there’s any talks on. So one of the talks I spoke at was about… the whole course is maybe four or five hours long – but everyone received a certificate. So it meant then, they could actually say, “yeah, I trained on this day.” So, there’s a lot of free courses that go on as well. You might not get all your documentation there, but at least it would help you out with putting people on training and documenting when you’ve trained your staff.
Killian Vigna: So just, on that training. Should you get all of your staff members to do training, or should you kind of do like, I suppose like a tier level. So you’ve got like the owner, the manager, reception, and then the beauticians and stylists. Should they all have different access levels and different training levels, or is it okay to say “yeah, everyone can be trained on this.”
Niamh Greaney: I would do the training for everybody. So training is mandatory. Obviously, some people will need to know a little bit more. But if they understand GDPR as a whole, and how it can affect the salon, that should be good. But the likes of access levels, for anyone that uses any software, you would really need to restrict access. So, not everyone needs to access reports, or maybe marketing. Or different parts of the clients’ client card maybe. So, I would spend a bit of time figuring out who needs access to what, and going back to that data audit and really figuring out do they need it and why they need it. But, you have to run your business properly. If five or six people need access to mostly everything, they need access to mostly everything. But having reasons for it is one of the main things I think.
Killian Vigna: I do like that data audit example because it’s kind of getting yourself to continually assess, ask, why, why, why, why.
Niamh Greaney: And you’ll do it automatically then. Once you understand GDPR, like you think about it all the time. For example, I was staying in a hotel and when I got up in the morning to go for breakfast, there was no one there to say what number room I was in. But it had everybody’s names, everybody’s room numbers and their contact details all left on a sheet of paper. And this is a really well known hotel. And I was like, this is crazy. But I would never have thought about that last year. But that’s, like I could take all their details. And then they technically had a data breach then. So you have to be so careful.
Killian Vigna: I’m laughing because it’s amazing that switch in mindset from twelve months ago to right now. You’ve almost, not necessarily paranoid, but you are more aware of when other people are breaching.
Niamh Greaney: Or this would probably a big one for anyone listening is, I’ve had a few salon owners that said their answering machine is on loud. So people are ringing in asking for certain treatments with their name and their phone number. What treatment, what day, what time. And that’s crazy, the amount of information that people are getting so. It’s really mad.
Zoe Belisle-Springer: Well on that, I mean, you talked about personal data, you talked about health data that was more sensitive. What do we mean when we talk about protecting the rights of the individual?
Niamh Greaney: So, what that means is, up until now, people haven’t had as many rights. I’ve gotten so many emails from businesses, that I honestly have never done business with. I don’t know how they got my email address, so they’re sending me panic emails, not because they really want to take care about my data. It’s because they’re panicking that I might take them up on not having my information for the right reasons. So, like the rights of individuals mean that if you hold my data, Zoé, I have the right to access it if I want. I have the right to know that you have it and why. The right to be forgotten say, if I want you to delete everything. That you can do that. The right to portability, this isn’t going to be as big for salons, but this is the right to send your information somewhere else. So, say, if you’re using like a Webdoctor service, that you would have linked with you company, that’s just the example. Wouldn’t really happen with salons. Right to rectification. This is just if I need to update my email address, or my name. So that’s really simple.
And then, the right to reject processing; that I don’t have to give you my details. But then, as a salon you might have a legal obligation to get them. So if you use consolation forms, you should check with your insurance company. They will probably say yes, but say do I have a legal obligation to hold this data for seven six years, whatever they say. So if I said to a salon, I don’t want you to have any of my information. That they can still keep my consultation forms. Because I could end up saying, “delete all my information” and then take you to court next year. So you have to not panic about these rights and say, “oh I’m just going to delete everything.” You have to make sure that, you’re really finding out if you have the legal basis to hold this.
Killian Vigna: Just, listening to you talk about the rights of the individuals. Right up until now GDPR has sounded like this really scary thing of you could be facing massive fines or anything like that. But, if you just think about how you would like to be treated as a client, it is quite straight forward in a sense. But it’s also, I suppose, better for you in the long run. Because, now you have a higher quality of clients and people that you try to send your services and treatments as opposed to just having like 10,000 clients. That’s where all these companies emailing us saying you have to update to keep your records. No, because your clients are made up of someone who would never have opened that email.
That’s just kind of like an online version of it. Which, kind of brings me into the whole marketing consent. For a salon owner, what’s the best way to treat that then?
Niamh Greaney: So, like the good thing is, people come to you salon because they want to do business with you and they’re very happy to hand their information over. So nine times out of ten they’re more than happy to get a campaign for you. But, with GDPR, up until now, you never really would have had a time stamped when they said yes, I’d like to be contacted, so, that’s mostly the same with every business. But it’s really about going forward that you’re gaining clear consent. And what clear consent means is that you’re allowing them to choose what they want to be contacted by. Them know that they can opt-out at any time means that you can’t have pre-ticked boxes, it can’t be mixed in with the terms and conditions that you’re going to send them, it has to be completely by itself. And then, if I opt in for SMS marketing and they send me a campaign, and they send me three campaigns, and I decide, I don’t really want to be contacted again. That they have an opt-out in that message. So that’s given me the opportunity to opt out if I want.
That’s all. Clear consent is very very simple. It’s that, if you use a software, it’s fine to get verbal consent, as long as it’s timestamped when they’ve said they’re happy to be contacted. If you’re using paper forms, that you’re just signing for it. Then you allow them to tick, and you have a date that they signed for it.
Killian Vigna: So it’s more clarity around it. So, rather than going, yeah I would like to be in communication with you. It’s, I’m in communication with this, this and this. And you clients actually have to take action, rather than just kind of, like you said that tick box, which we’re so used to seeing last year. Where it’s already ticked when you put your email address in.
Niamh Greaney: Yeah, it has to be very clear. And so, it would even have to be linked out that it says, it’s very clear, either saying that this is for SMS or email, or it has a separate box for SMS or email. And probably, in case people are wondering… People panic a lot about appointment reminders. They’re transactional messages, so they don’t, they’re not the same as gaining consent for a marketing message. But, if they didn’t want to be sent that appointment reminder, that they could tell you, and you’d opt them out. But you don’t need consent to send it, because it’s transactional. So, you’re sending them to remind them about their appointment.
Killian Vigna: So transactional. So, would your kind of like your no-shows, your reschedules, and even your abandoned cart online. Would they be transactional?
Niamh Greaney: Abandoned cart, yeah, that’s interesting. I suppose abandoned cart would probably be okay. It really depends on what the wording is in abandoned cart. Do you know, it’s little things that could change it if they try and start offering you special offers to get you to…
Killian Vigna: Cause, in a way they’ve already given you their information. They just haven’t completed it. So, you’re just reminding them like you would remind them for an appointment. The main thing is, don’t be salesy, kind of promotional, things like those, keep it basic.
Niamh Greaney: Yeah, unless you’re sending them a marketing campaign out. I say to people “don’t stop sending marketing campaigns because of GDPR, that’s not the point.” Marketing is amazing and it helps with your brand and it helps with you bookings. People love receiving newsletters and everything. So, not to stop doing it, it’s just, especially going forward you should be getting clear consent. Definitely to be aware.
Killian Vigna: Like we said, your marketing is actually going to become stronger now, because you’re only sending content out to people that want to hear about it. You’re not sending it out to thousands of people and only 20% actually care.
Niamh Greaney: Yeah, absolutely.
Killian Vigna: If anything, it kind of benefits you in a way here.
Zoe Belisle-Springer: Like, remember when we chatted to Nichola Sharp in Enhance Beauty. She was all about the fact that “it will help me build trust with my clients” more than anything.
Killian Vigna: Oh yeah, she thought this was brilliant. That this was going to be even better again for business now.
Niamh Greaney: Yeah, I think it is.
Killian Vigna: So, just one last thing that kind of I wanted to ask – and it’s purely because it’s a massive part of the industry, but also because I come from the education department, so I’ve been hearing a lot about this training module – is, consultation forms in the industry. They’re kind of obviously a lot more different to just a general client contact information. You’ve already mentioned it, the information you’re asking for there, is on par with what you’d give to your doctor. Do you have any kind of recommendations on policies or how to go about that, or would you just kind of go seek legal advice on that one?
Niamh Greaney: Well, not exactly. Like for your consultation forms, a big part about GDPR is data minimization. So, it means only collecting what is needed. I know some insurance companies might tell you this is fine, but when you’ve taken the GDPR side of it, salons that use these master forms… So if I come in for an eyebrow wax, or if I come in for a facial, they sort of hand to me the same massive form… I would recommend breaking up forms so that they’re actually service specific because if I come in for an eyebrow wax, maybe some of the questions would be the same, but a lot of them wouldn’t be. You shouldn’t be asking me things that you don’t need to know that day. I would recommend doing that.
I wouldn’t recommend stop using consultation forms, it definitely keeps trust, and covers you insurance wise. But when you’re doing out forms, make sure that you’re taking care of them so you’re keeping them in a locked cabinet. Really figure out who actually needs access to them. And ideally, even though it sounds dramatic, that you have a call log of who’s accessing the forms. Because what happens is if someone goes in and takes fifty consultation forms. Are you going to cop on that they’ve done it? So, you really need to make sure that it’s very safe, that you’re not leaving them around the reception desk, and this was a really scary story that we heard about a salon in Finland last week. They filled out a consultation from, they left them in a place beside the reception desk. And a client that was getting her hair done saw her, or maybe it was beauty, saw the form took photo of the form, said nothing to the salon, but then sent it to the client, who filled out the form.
Killian Vigna: So, they actually knew the person.
Niamh Greaney: Because all their information was on the front. Their name, their address, their phone number, their email, and they sent it to the client, a photo directly to them and said, this is what they’re doing with your data.
Killian Vigna: That’s mental. But that’s exactly why I ask that question. Because, when I was doing a few of the consultation form webinars, one thing that came up from a salon said that they were doing, they said they haven’t moved over to digital yet, it was something they were looking into. A big part of it was consultations. But they were getting a time lock safe with the log book, so, the staff member, their name, their I suppose occupation, their role in the salon, the time and why they went. But they also had a camera up in the corner of the room as well, so timestamps, that log book as well. And that’s how extreme some people are going with this information. Because it’s such personal information.
Niamh Greaney: And people don’t realize, it and I probably didn’t realize it, but what happens is, if people don’t feel comfortable in a salon, or feel like it’s trustworthy, what happens is people actually won’t tell you some of the information you need to know. And what happens then is you end up giving a treatment to someone on who it won’t be effective, or that something actually might happen because maybe their afraid to put it in that form because “what will be one with it after?”, or “where will it end up?” But in the doctors, you would never hold back information because you automatically feel like you trust them.
Killian Vigna: But you’d also pull them up straight away if you felt, if you saw a form left out in a doctor’s office. There is no way I would come back to that doctor.
Niamh Greaney: The salon I go to when we were getting started out for consultation forms, digital forms… I was getting some of the questions from her, and she handed me someone’s information and said, “Oh, I can’t find any plain ones, here’s this form.” And thank god it was just her name and address, because they’re a hair salon it wasn’t in depth. I was like, you can’t do that, you can’t hand me someone’s information. But she was just doing it out of the good of her heart, and this is why when you train you staff, it needs to be on these terms, with these examples. Because it’s until you think about how it happens in the salons, you don’t realize the extent of it.
Killian Vigna: I think that is, it’s definitely a good way of ending this is, get your staff trained. Demonstrate accountability. But also, maybe do some practice runs and stuff for when they are handing out personal information. Because even though it’s due on the 25th of May, get it locked down now. Get used to this. If you have software, put pins, staff pins in, so all those audit trails are already going. Just get into the habit of it, that’s what we’ve been trying to get people to do over the last few months is habit, habit, habit.
Niamh Greaney: Absolutely, and because you might say I don’t have time before Friday, don’t make it so that’s a reason you won’t do it. So even if you don’t have time until next Tuesday, or this Sunday, when you have a few hours off work. Do sit down and do it, because if something was ever to happen in your salon, and your salon was audited, if you can demonstrate that you have put in the effort, and tried, they will be way easier on you then if you walked in and you had the attitude of, “oh this doesn’t apply to me.” That’s the difference, you can have mistakes in it or only have put in a small effort at the start and build it up over time. But, do do something.
Killian Vigna: Of course, mistakes happen, accidents happen, but if you and your team can demonstrate during that audit that everyone was onboard, everyone is aware of what they can and can’t do and this is how they’re going about it together, then that’s going to look so much better than if you’ve got a team of people that couldn’t care less.
Zoe Belisle-Springer: So, I suppose, my last question for you Niamh is, there has been quite a bit of confusion, I believe, on social media the last few weeks, or at least on certain salon industry groups, around what Phorest can do to help you become compliant. A lot of people have heard about the consultation forms, but there are also other, even just the smart client card, which is going to be compliant?
Niamh Greaney: Yeah, absolutely. The best way, I think people got confused because GDPR is quite complex. So you think that if you use a software that that’s it, that you’ve done everything and you don’t need to do anything more. So, the best way I explained it is for anyone using Phorest, imagine the software you’re using right now, with nothing extra at it, we’ve made all the relevant changes and implemented different tools to help you be compliant. So we’ve added pop up boxes to gain clear consent, we’ve added a retention period so at least you can automatically put in how long you want to keep information for, and it deletes it for you. We do consent for photos, so if you want, maybe stop putting so many photos of clients on your own mobile. That’s really personal, keep it on Phorest Go. It doesn’t save them on your mobile, you can tick that if they’ve consented for the photos to be put online. And that’s a big thing and that we probably didn’t cover…
You really really need consent to put photos up of somebody, if it identifies someone, so if you don’t do it already, make them sign something, or use Phorest Go, you need it time stamped. If you’re using paper, you need a signature. So, so important. Like the example is like I would use with Phorest, Facebook, well hopefully they will, will have made all the changes necessary to be complaint, but I could still act in a non-compliant way by putting up a photo of you Zoe without you consenting to it.
So, that’s the exact same with Phorest. We’ve made many changes, you have to put in your access codes, we have trails there, and then obviously like you said, there is our new digital conservation forms, so that’s available to anyone one the Complete Advantage Package. These forms are a way for you to go digital with your own paper forms. But you can still be compliant with your paper forms. Like I was saying earlier, with a call log, in a locked place. And then what we have, what we’re introducing is a smart client card. So that’s going to be a way for you to gather details on an iPad or tablet, so when someone comes in and the salon’s busy, you want to get their details, you want to know where they’ve heard of you, and to get marketing consent. But, you can get marketing consent through the pop up as well. So, yeah, we have introduced a lot of things, and to be honest, I’d say it’s not the end of things we’re going to implement to help with the law. So absolutely amazing start anyway.
Zoe Belisle-Springer: Absolutely. I think that was the main confusion. I think it’s because people thought it was either the digital consultation forms, or nothing.
Niamh Greaney: Yes, they saw GDPR and thought, I have to pay to be compliant, or upgrade to be compliant. Not at all, as a software provider, you have to make the changes, and for anyone who isn’t using Phorest, you really should contact your software and say, “what have you done,” because at the trade show I spoke to a lot of people that, you know, maybe their software provider hasn’t gotten back to them, or hasn’t confirmed that any changes will be made. So simple things like marketing consent, opt-out in your messages. Like our opt-outs can’t be removed now, so even if you did forget, you can’t remove it. So little things that just want to help people along the way, but that’s all it is, just putting the tools in place to help you with this new change in law.
Killian Vigna: Well, that absolutely brilliant Niamh, and thanks for clearing that all up. Especially with the last few days.
Niamh Greaney: No problem, I know.
Killian Vigna: I mean, like, yeah okay in a sense there is a lot of information. But it’s not that much at the same time. Especially, like a lot of people are moving software these days, so your software should be taking care of some of those things. But again you just need to liaise, and work with your team as well.
Killian Vigna: And we’ll post Niamh’s mobile number too here as well…
Niamh Greaney: My iPhone. My house number. [laughs]
Killian Vigna: House number, mobile, fax, email, everything. That’s been brilliant. Thanks a million for joining us today.
Niamh Greaney: No problem, any time.
Killian Vigna: So that was Niamh Greaney, salon business advisor here at Phorest. And now it’s time for the second half of our show.
Zoe Belisle-Springer: Yes, so Phorest Academy Webinars, we don’t have too many coming up, but we do have one that you will enjoy. So, it’s the very, very first time that we’ve run this one. It’s going to happen on June 18th, and it’s all about work-life balance with Chris Brennan. So for anyone who’s attended the Summit this year in 2018, in January, Chris Brennan ran the workshop on work-life balance, and essentially he’s going to take a few concepts from there and work it off in this hour-long webinar, just for you guys. It’s free to attend, as usual, all you have to do to sign up for it, is go onto our Facebook page, in the Events section, click on “Get Information” once you see that event.
Enter your details, and you’ll get a link in your emails to join on the day. Other than that, we have a new contest, and if you want to enter, you’re in with a chance to win a portable photo printer, it’s the HP Sprocket, it’s called. But essentially we keep talking about it’s no longer enough to just offer a good haircut, or a good facial, or anything like that, so this could actually be a really cool idea if you want to create memories, obviously you’re creating memories with your clients, but if you wanted to share those memories instantly, this printer, this portable printer, it’s about the size of a phone. You link it to your smartphone, and then you can print photos straight from your phone to the printer, and hand them over to your clients instantly, which is really, really cool. So if you want to enter that, it’s on Facebook, it’s on our blog as well. The link is going to be in the description of this podcast episode. All you have to do is sign up with your details and that’s it.
Killian Vigna: So that’s kind of like turning your smartphone into a Polaroid isn’t it.
Zoe Belisle-Springer: Almost, yeah.
Killian Vigna: And I suppose, for anyone who is GDPR concerned, you could always just get your client to sing the back of that photo if you want to keep it yourself. If you’ve got your wall of fame that a lot of salons do, just sign the back of your photo. Done.
Zoe Belisle-Springer: Yeah, so that’s pretty much all that I have in terms of news, Killian. If you have any feedback, feel free to leave us a review on iTunes, or on stitcher, we’re always looking for suggestions on how to improve the show. Otherwise, have a wonderful week, good luck with GDPR, and we’ll catch you next Monday.
Killian Vigna: All the best.
Thanks for reading!