Guest Article by Joseph L. Bolger, Managing Director at ESA Consultants
Perhaps you’ve heard about a new law coming into effect in about a year’s time: the new Data Protection Act 2018. When it comes to protecting your client details, implementing good habits today can only be beneficial in the future. So, let’s get ready: first things first, put the kettle on.
A Few Terms And Definitions
Any information you hold and that relates to a client/customer.
Any person, or company with no connection to you or the client/customer.
General Data Protection Regulation (GRPR) 2018
Commonly referred to as the New Data Protection Act, the GRPR aims to give consumers within the EU greater control over how their personal data is used. It has been announced that for Ireland for instance, “the main law dealing with data protection legislation is the Data Protection Act 1988, which was amended by the Data Protection (Amendment) Act 2003. These will both be replaced by the GDPR.”
What You Need To Do To Protect Client Details
The biggest impact of this law on your salon or spa is the right to retain information on clients/customers that could enable them to be identified by third parties. If you fail to respect and protect your clients’ details, it could cost you 4% of your annual turnover. More, you – your salon or spa – could then be fined per breach, even if you – the salon owner – may not have committed the violation. Your staff or a hacker could have.
The right to keep retain information on customers who freely provide you with such details places a responsibility on your business and any provider to:
- Retain the information solely for the purpose they provided it for (if it expires you do not have the right to retain it);
- Protect client details you’ve kept at all cost, and;
- Know the law’s requirements on data protection (you will now be responsible, accountable and/or suffer the consequences if this is breached).
Questions To Ask Yourself
How much do you know about your salon’s database?
- Why are you holding the data? Is it for a blog subscription, clients coming in for a treatment, and you need regular communication with them?
- How did you obtain it? Did you purchase a list or was the information freely provided to you?
- Why was it initially gathered? A blog, a contest, a promotion or special offer, etc.?
- How long will you retain it? For a limited time? Forever?
- How secure is it, in terms of encryption and accessibility? Can every staff member access it, or even worse, hackers, etc.?
Related | Phorest’s Cloud Storage & Security
In Your Salon Or Spa…
Briefing Your Staff
First things first, you will need to inform your employees about this new law. Now, when they are gathering client details – in person or online – they will need to notify the customer of your identity (salon/spa), your reasons for collecting the data, the use(s) it will be put to and to who it will be disclosed.
If you use consent when you record client details, the ways you seek, obtain and record that consent, and whether you need to make any changes should be reviewed. Consent must be ‘freely given, specific, informed and unambiguous.’
Essentially, your customer cannot be forced into consent, or be unaware that they are consenting to the processing of their personal data. Obtaining consent requires a positive indication of agreement – it cannot be inferred from silence, pre-ticked boxes or inactivity. Your client is entitled to have access to their information, have inaccuracies corrected, information erased, to object to direct marketing and to restrict the processing of their information including automated decision-making.
Any client who requests access to their information should have a response within the 30 days. You may look for a fee for the administration costs. You should also be aware the if your files have inaccurate information, you will have to explain why. However, you do have a right to refuse some information. This you can do when a request is deemed manifestly unfounded or excessive. However, your salon or spa will need to have clear refusal policies and procedures in place and demonstrate why the request meets these criteria.
Using Third Parties
You are entitled to engage third parties for legitimate purposes, such as Payroll, Software providers, HR Companies, Accountants and Solicitors to work with you and get involved in your data. However, you must have a clear policy on the matter and ensure your customer is aware.
Disposing of Data
If you need to dispose of data, the new Data Protection Act requires that you show the disposal was controlled. If it is IT, get your IT people to confirm that your deleted files are indeed deleted and cannot be recovered. Working on paper files? You will need to have them shredded. You could hire a company that will shred the documents for you, in front of you and give you a certification to that effect.
It might seem like a lot to take in all at once, but take it one step at the time. After all, you’ve still got loads of time to prepare. Better be safe than sorry!
Thanks for reading,