GDPR (General Data Protection Regulation) is a new piece of EU legislation specifically concerned with adding more protection to personal data. It will be introduced on 25th May 2018, so now is the time to get ready for GDPR. There’s a big price to pay if you’re not; the maximum penalty for an infringement is 20m Euros or 4% of your turnover, whichever is greater.
It all seems very daunting, but the new legislation is broken down into 6 basic principles that make it a little easier to understand.
The 6 principles of GDPR:
1. Personal data must be processed lawfully, fairly and transparently
2. Personal data can only be collected for specified explicit and legitimate purposes
3. Personal data must be adequate, relevant and limited to what is necessary for processing
4. Personal data must be accurate and kept up to date
5. Personal data must be kept in a form such that the data subject can be identified only as long as is necessary for processing
6. Personal data must be processed in a manner that ensures its security
What is personal data?
The official GDPR definition of personal data is rather wordy:
‘Personal data’ means any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identify of that natural person.
Put simply, it’s absolutely anything that could allow an individual to be identified. It’s the kind of information you probably have that enables you to contact your clients regarding appointments and details you need to know to safely carry out treatments.
Where to begin
Every business collects and uses personal data in a different way, so for specific legal advice you’ll need to contact the ICO if you’re in the UK or the General Data Commissioner (GDC) if you’re in the Republic of Ireland.
To get you started, here’s our advice to set you off on the road to compliance:
– Do an information audit – look at the information you hold, how you capture this data and how it’s used.
– Determine your ‘lawful bases’ for processing personal data – there’s more on this coming up.
– Identify potential risks and any areas of your business which are not compliant – contact the ICO or GDC on the necessary changes you need to make.
– Where required, seek renewed consent from customers – again, there’s more details on consent to follow.
– If you have employees, ensure they are fully aware of GDPR and the new steps you’ll need to take in your business.
Determining ‘lawful bases’ for processing data
To be able to use your client’s data under the new legislation, one of these lawful bases must apply:
1. Consent: the individual has given clear consent for you to process their personal data for a specific purpose.
Contract: the processing is necessary for a contract you have with the individual, or because they have asked you to take specific steps before entering into a contract.
3. Legal obligation: the processing is necessary for you to comply with the law (not including contractual obligations).
4. Vital interests: the processing is necessary to protect someone’s life.
5. Public task: the processing is necessary for you to perform a task in the public interest or for your official functions, and the task or function has a clear basis in law.
6. Legitimate interests: the processing is necessary for your legitimate interests or the legitimate interests of a third party, unless there is a good reason to protect the individual’s personal data which overrides those legitimate interests. (This cannot apply if you are a public authority processing data to perform your official tasks.)
Not all of these will apply to your business, but it’s important you can pick out the ones that do.
More about consent
GDPR sets a very high standard for consent, but what does it mean? Consent means offering your clients a genuine choice and control over how you use their data. There are some key points you’ll need to take into consideration before GDPR comes into play:
– If you send marketing to any of your clients, you’ll need them to renew their consent to ensure it is compliant with the new regulations. If you don’t, you won’t be able to send them marketing come 25th May.
– Consent must be separate from accepting all other T&Cs.
– It must be specific – rather than asking if they are happy to receive marketing, you will need to specify the ways in which you will contact them (phone, email, text, etc.) to give them the chance to choose which methods they consent to.
– You must let them know they can opt-out at any time.
– This isn’t a one off thing – you’ll need to regularly review the personal data you keep and record any changes.
– Only those over 13 can provide consent, otherwise you will need parental consent.
What to do in the event of a breach
Under GDPR, a breach is defined as “a breach of security leading to the destruction, loss, alternation, unauthorised disclosure of, or access to, personal data”. As long as you follow the ICO’s guidelines this shouldn’t be anything to worry about. However, if there’s a breach that is likely to result in a risk to the rights and freedoms of individuals, you must notify the ICO within 72 hours of becoming aware.
Does all this apply to my business?
Yes! It doesn’t matter whether you’re a busy salon using an online booking system or a part-time mobile stylist with a paper diary, the new regulations apply to all businesses that collect personal data.
If you have any questions, no matter how big or small, there are organisations here to help. You can visit the ICO website, where they have lots of information related to small businesses, including a ’12 steps to take’ infographic and a handy checklist. If you’d prefer to talk to someone directly, stylists in the UK can contact the ICO helpline on 0303 123 1113 (select option 4 to be diverted to staff who can offer support). Those based in the Republic of Ireland, be sure to contact the General Data Commissioner.
If you’re based further afield, a full list of the Data Protection Authorities for all EU countries can be found here.
Disclaimer: The above suggestions should not replace professional legal advice. Be sure to contact the relevant authorities for legal advice for your business.