In a bid to toughen up and harmonise data protection across Europe, the EU’s new General Data Protection Regulation (GDPR) is set to come into force on May 25, 2018. But what is GDPR and how does it affect you?
Just 0.4 per cent of the world was online the last time European data protection laws were updated; now it’s 50 per cent and there’s been a huge rise in the amount of personal data captured and stored online. The new GDPR is the biggest shake up in the collecting and processing of that data for 20 years, and aims to give people more control over their personal information and how it is used by companies who utilise data capture forms.
The idea is to unify data protection across Europe which means a toughening up of existing data protection rules. The UK will still comply with GDPR, even after Brexit, because the Regulation will be incorporated into domestic laws under Clause 3 of the European Union (Withdrawal) bill. The UK government published its own Data Protection Bill in September 2017 mirroring the EU law and extended it to dealings outside Europe.
GDPR is applicable to all organisations and businesses in the EU that capture, handle, store or share any kind of personal data. It applies to all personal data on people whether it’s kept electronically or on paper, and covers websites, privacy policies, paper records and computer records for both clients and employees.
Personal data counts as any information that can be used, directly or indirectly, to identify someone, such as their name, photo, email address, bank details, medical information and IP address.
Beauty salons, hairdressers, therapists and spas typically hold lots of personal information on their clients such as names, addresses, contact details, allergy test results and relevant medical notes. This information is important for insurance compliance purposes and you must continue to keep hold of the consultation cards for seven years. All that extra information is also good if you want to send out automated communications like appointment reminders, offers and vouchers, so it’s important that you and your staff are aware of the new regulations.
Thankfully salon software companies such as Premier Software and Phorest are already on the ball and have been incorporating GDPR principles and features into their systems in readiness. To see more information surrounding this please visit the following link from Phorest: https://www.phorest.com/gb/blog/salon-gdpr-explained-emojis/
While it may seem like a long and arduous task, if you’ve already been complying with the UK Data Protection Act 1998 (DPA), many aspects of GDPR remain the same. What will differ after May 25th focuses on accountability, transparency in how information isused and ensuring it's done with understanding and respect at all times.
- Lawfully processed.
- Collected for a specified purpose.
- Necessary for that purpose.
- Accurate and up to date.
- Kept no longer than needed for purpose.
- Processed with appropriate security.
One of the biggest changes in GDPR is an individual’s right to access the personal data held by a company. Currently they have to make a Subject Access Request (SAR) and pay £10 but this will be scrapped under GDPR and anyone will be legally allowed to see their data free of charge. They also have the right to ask that data be deleted as part of the rule called the ‘Right to be Forgotten.’
You can’t assume a client wants to be contacted with newsletters and offers any more. People will have to give clear consent, and you must keep a record to show how and when they gave their consent and what for. They’re also allowed to revoke that consent at any time and, if you change the way you use their data, you must get new consent. If, for example, a client makes an online booking they will now have to ‘opt in’ to receive newsletters or marketing materials, so no more pre-ticked boxes. Privacy notices on your website need to be honest and open about the information collected and what you do with it.
There’s also been a strengthening of the security surrounding data breaches. GDPR enforces much stricter rules on organisations to ensure they’re taking all reasonable measures to guard against data theft or loss. The Information Commissioner’s Office (ICO), in charge of the regulations in the UK, can currently fine up to £500,000 for malpractice. When GDPR comes into effect, they will be able to fine up to £17million or four per cent of annual turnover, whichever is higher.Not something to be taken lightly.
The ICO has a suggested 12 step process to identify key areas to look at in preparation for GDPR, HERE. It has also set up a helpline 0303 123 1113 to help small businesses adapt to the new regulations.