Data Processing & GDPR DOES apply to Hairdressing!
Due to some conflicting information being promulgated over social media, chat rooms and the like, We have been asked to write a short article specifically related to the requirements of GDPR and Data Protection for Hairdressers, Stylists and related professionals.
Obviously, many of the following points will be equally applicable to other personal care businesses such as beauticians, nail bars, tattooists, tanning salons etc.
The following SIX POINTS should give anyone a 'Heads Up for Hairdressers '
1. The first point we must make is that EVERY business must abide by the Data Protection Regulations, there are no exceptions. If your business processes Personal Data then the rules apply to you.
So the first question is – What is Personal data?
Simply put Personal Data is information that identifies a living person. This may include their name, telephone number or email address but also includes their image on a CCTV system.
Processing data refers to what happens to the data you collect, including collecting, storing, changing, even deleting the data. This applies whether you use a computer or have a paper system to run the business.
Consequently, it is hard to imagine a business that does not process Personal Data!
2. The Data Regulator in the UK is called the Information Commissioners Office (ICO). They run a registration system for businesses.
Not every business has to register, there is a free self-assessment test on the Regulators website to assess whether Registration applies to your business. See: www.ico.org.uk
Some of the situations that require compulsory registration are the use of CCTV in commercial premises, advertising and marketing activity for other businesses and the use of Dashcams in business vehicles (such as in a mobile hairdresser’s car.)
PLEASE NOTE: If you do not need to Register you STILL have to abide by the rest of the Data Protection rules!
3. Whether you have to Register your business or not, the rest of the rules still apply to you. The first thing all businesses must do is consider what Personal Data they have under their control and what they do with it. The business owner is known as the Data Controller and is responsible for adhering to the rules.
You can only process data if it fits into one of six categories (known as Lawful Bases). Every single piece of data in your business must be identifies and allocated a category. This process is called a ‘Data Audit’ or sometimes an ‘Information Audit’.
Conducting a Data Audit is a legal requirement and you should record the fact you have done it in case anyone asks.
Hairdressers, Stylists (and others) often keep medical information about clients, such as allergies to certain chemicals. This is known as Special Category data and requires additional authority to process it. This is especially important where several different personal care services are offered from the same salon in addition to the hairdressing.
4. Under the Regulations, anyone (not just a client) can send you an inquiry as to what, if any, Personal Data you are processing about them. These are called a Data Subject Access Request (DSAR). There are rules about the timeframe in which you must reply, what to send and how to check the identity of the enquirer. Also, you are not generally allowed to charge for dealing with them.
5. There are many other requirements in the Regulations but the most misunderstood apply to Data sharing within the Salon and Marketing activity.
i) Data Sharing:- Often several people in one salon will be self employed and running their own business. In this case the Salon Owner and each other business owner must individually be compliant for GDPR. If Client’s data is transferred between the businesses this activity must be clearly set out in written contractual form.
ii) Marketing:- The ICO provides an example of a Hairdresser data sharing for Marketing purposes by sending vouchers to their clients through a Marketing Company in that case the Marketing Company would be the Hairdresser’s Data Processor and must have a special data processor’s contract.
6. Evidently, there is a feeling within some parts of the Hairdressing industry that the Data Protection rules such as the GDPR do not apply to them, or if there is no requirement to Register with the Regulator the rest of the rules can be ignored. Clearly, this is not true but with the ICO’s average fine for a small business being around £40,000 few businesses can risk such an assault on their finances for the sake of a bit of forward thinking and preparation.
When all is said and done, we should remember the purpose of Data Protection is largely good sense and Data Security is what we all expect from organisations that deal with our own personal information. Make sure your customers know their data is safe in your hands!
Hopefully, this short article will draw attention to some of the requirements and raise awareness within the Hairdressing and related industries.
NB: As part of our commitment to supporting small business we offer any small business owner a free data protection assessment telephone call with a data protection lawyer so they can fully understand their responsibilities.
Free Legal Advice: Call us on 0330 2233 506 or find us Online at www.transitionlaw.com