SalonIQ Latest News

Case Study GDPR

Posted on: March 25, 2018

Making Sure your Salon is GDPR Compliant

There is no shortcut to making sure your salon is compliant with GDPR, it is a new regulation and in a number of areas it is ambiguous.

This blog however is a case study on the steps GREAT hairdressing & Beauty have taken in conjunction with the first 2 blogs https://saloniq.com/guide-to-gdpr-for-salons/ and https://saloniq.com/gdpr-data-protection-and-consent-using-salon-software/ and should give you a good understanding and practical steps to making sure you comply with the new law that comes into effect in May 2018. As a fairly typical small business/salon, the following, outlines the steps we have done in readiness for the new regulations.

Step 1: Team Meetings and Key personnel Awareness

The key people in GREAT hairdressing & Beauty are aware that the law is changing to the GDPR. They appreciate the impact this is likely to have and we identified areas that could cause compliance problems under the GDPR (predominately record keeping and consent). At team meetings the changes in the regulations were outlined, notices put up in the staff room and hand-outs given to all team members. In particular the rights of the individual, the changes to consent, and also stressing the importance of data protection. You can download an example of the hand out here
Team Handout GDPR

Step 2 Documenting the Information we hold

We documented what personal data we held, where it came from and who you share it with. A great resource for this is https://www.inforights.im/media/1271/gdpr_part-1_toolkit_mapping_may2016.pdf

Step 3 Updated Privacy Policy

We updated our current privacy notice. Under the GDPR there are some additional things you have to tell people. For example, you will need to explain your lawful basis for processing the data, your data retention periods and that individuals have a right to complain to the ICO if they think there is a problem with the way you are handling their data. The GDPR requires the information to be provided in concise, easy to understand and clear language. An example of GREAT hairdressing’s privacy policy can be downloaded here.
Privacy_Policy_Draft_vgdpr

Step 4 Checking we can deal with individual Rights and Subject Access Requests

We checked our procedures to ensure they cover all the rights that the individuals have, including how we would delete personal data or provide data electronically and in a commonly used format.
The GDPR includes the following rights for individuals
• the right to be informed
• the right of access
• the right to rectification
• the right to erasure
• the right to restrict processing
•the right to data portability
• the right to object
• the right not to be subject to automated decision-making including profiling.
At GREAT hairdressing & Beauty most of these responsibilities fall to our Salon Manager, who has been shown how to use “GDPR Forget” and “GDPR print” as well as managing consent.
Lawful Basis for Processing Data
We updated our privacy notice to explain how we process data.

Step 5 Consent

GREAT hairdressing & Beauty have adopted a “best practice” approach to consent. (NB; appointment reminders and quality surveys/reviews do not require consent as these are deemed as essential service communications and can certainly be considered as legitimate interests. With the GDPR flag enabled, by default new clients will NOT be opted into marketing but will still be opted in to reminders.

Initial 8 Weeks

All attending clients for a period of 8 weeks from 25th May will be asked to complete a new client registration form and there consent preferences updated and details checked on SalonIQ. Where possible the client will use the “Client Mode” on SalonIQ and compete this themselves. Where manual forms are used, these will be filed. This is good practice to do annually anyway as it keeps the quality of your data upto date. The team have been explained how SalonIQ prompts for consent and the importance of clicking “NO” if a consent form has not been completed. See example of Client registration form here.
Guest Details gdpr

After the initial 8 weeks

New Clients will be asked to complete the registration form.

Archiving non Active Clients.

Consent in GDPR should ideally be a positive opt-in, historically this was not the case at GREAT hairdressing & Beauty but importantly the fact they are existing customers means it is still ok to market to them as you have a basis of “legitimate interest” and soft-opt-in (this is not a license to SPAM), here we decided to adopt a common sense approach and have automatically set SalonIQ to archive clients after 24 months. Therefore within 2 years all our data will be refreshed and we will only be marketing to clients that have opted in with our new procedures.
In Global Settings we set automatically archive Non Active Clients to 24 months.

Withdrawing Consent

GREAT hairdressing & Beauty have simple ways for people to withdraw consent. All SalonIQ emails go out with options to unsubscribe and at any time a client can call or email to remove their consent.
We made the policy not to market to Children younger than 13 and therefore will not be opted in to any marketing.

Step 6 Data Breaches

In our industry, the most likely reason for a data breach will be theft by an existing team member. Often hard to prove unless they access data after they have left the salon.
We only have to notify the ICO of a breach where it is likely to result in a risk to the rights and freedoms of individuals –if, for example, it could result in discrimination, damage to reputation, financial loss, loss of confidentiality or any other significant economic or social disadvantage. Where a breach is likely to result in a high risk to the rights and freedoms of individuals, you will also have to notify those concerned directly in most cases.
This not felt to be the case in GREAT Hairdressing, however it was agreed if ever a data breach occurred a full investigation would be carried out and documented.

Closing note:

Larger organisations will have greater obligations under GDPR and no doubt more clarity on obligations and how best to comply will become apparent in due course as everyone grapples with the new law. Hopefully this blog has given you a start and shown that it does not have to be as onerous as one first thinks.