Does your salon or barbershop comply with GDPR?

Data protection laws got tougher when GDPR came into force in 2018. Your hair/beauty salon or barbershop must understand and comply with additional data protection laws as set out in GDPR.

Download our detailed Members-only guide to GDPR.  Download our GDPR toolkit which includes templates to help you comply with GDPR. Not yet a Member? Join us now for less than 80p a day to access this user-friendly in-depth guide and make sure you are complying with GDPR.

This blog post covers:

• Why you need to take action
• What is GDPR?
• What data does GDPR cover?
• Keep staff informed
• Stay positive
• What does GDPR mean for you?
• New to GDPR?
• GDPR checklist

Don’t bury your head in the sand

There are substantial financial penalties for non-compliance, so this isn’t one for the ‘nice to have’ pile. The law says your hair/beauty salon or barbershop must follow the rules set out in GDPR.

What is GDPR?

GDPR stands for General Data Protection Regulation. It replaced the Data Protection Act 1998 (DPA).

Take steps to protect yourself against an online cyber attack.

What salon/barbershop data does GDPR cover?

GDPR applies to all the personal data your hair/beauty salon or barbershop holds about people, both electronically on computers and on paper (for example, client health questionnaires). It is safest to assume that it covers personal information held in any format.

Under GDPR you need to review all of your contact information and the way you use it, including email addresses, postal addresses, text and mobile phone numbers.

Keep staff informed

It’s important to make sure your employees understand the importance of complying with GDPR and what their responsibilities are.

Stay positive!

Data protection can seem like yet more ‘red tape’ and ‘jumping through hoops’ for little reward, but it’s better to look on it as a positive for your hair/beauty salon or barbershop. You will be seen as a trustworthy, privacy-savvy hair or beauty business that inspires trust and loyalty.

What’s new for your hair/beauty salon or barbershop?

This is not a complete list of all the GDPR requirements for your hair/beauty salon or barbershop, but it offers a good general overview of things you’ll need to consider:

[1] Salon software

If you use salon software, you will need to review the personal data you record and how you use it, including automated communications such as appointment reminders or birthday gift cards. Many salons and barbershops hold a wide array of personal information about clients and staff on their salon software, and use it for various reasons such as marketing, allergy test results, colour notes and missed appointment records.

Remember that salon software will use contact details to send automated messages and you will need to review this function to ensure you are complying with GDPR.

Your software supplier should be ready and able to offer updates and general advice to ensure your hair/beauty salon or barbershop complies with GDPR.

[2] Provide information

If requested, you will have to provide your employees and clients with the information you hold about them free of charge, and they will have the right to correct any information that is wrong. Information must be provided within one month of receiving the request.

[3] Right to be deleted

People have the right to ask you to delete the data your hair/beauty salon or barbershop holds about them unless there is a good reason not to.

[4] Marketing

You probably send many clients appointment reminders, e-newsletters, special offers, newsletters, birthday vouchers and seasonal greetings.

Under GDPR, you must comply with strict rules about contacting clients with marketing messages. As part of this you will also have to comply with:

• the existing Privacy and Electronic Communications Regulations (PECR); and
• the Telephone Preference Service.

Your clients must actively agree to receive marketing information from you. This means they must opt in – not be given the opportunity to opt out.

Existing mailing lists: you will not need to get new consent to send out marketing messages and newsletters to existing clients if certain conditions are met. For example, you must have collected their contact information as part of providing a service or product to them.

[5] Data breaches

A data breach is the loss, or unauthorised alteration or sharing of any of the personal data you hold about individuals. This can be deliberate or accidental. You must keep a record of any data breaches and report serious breaches to the ICO. Failure to do so could result in a significant fine.

[6] Employee contracts

The stricter data protection rules under GDPR also apply to the wording in employee contracts.

The NHBF provides GDPR-compliant contracts free of charge to Members. Download our GDPR toolkit.

New to GDPR? Where to start …

[1] Information audit

As a first step, carry out an information audit. Set out clearly and in detail:

• The type of personal information you hold (both computer and paper records).
• Who gave you the information or where you got it from.
• If you have clear permission to use the information, for example, to send regular marketing messages.
• Who you share the information with.

For example, a typical salon or barbershop will hold:

• Clients’ names, addresses, contact details, allergy tests, and any relevant medical notes etc.
• Staff details, including contact details, salary, next of kin info, relevant medical information, CVs and job applications.

[2] GDPR and children

Under GDPR, children under 16 are a special case: you may need consent from a parent or guardian to keep and use personal data about children. Make a separate list of all your clients who are ‘children’.

[3] Salon software

Be particularly careful when it comes to salon software. Make a few detailed notes about what information it holds, where the information comes from, and how it is used. Remember to note down all those automated communications it carries out on your behalf as these must be reviewed to ensure they are legal. Ask your salon software provider about GDPR-compliant features. 

[4] Privacy notice

You will need a privacy notice that is easy to understand and publicly available. Your privacy notice should include:

• What personal data you collect.
• Why you collect it and how it is used.
• Who it will be shared with.
• When and why it will be deleted.
• What you will not use personal data for.

(This list is not comprehensive.)

GDPR checklist for hair/beauty salons and barbershops

• Don’t bury your head in the sand.
• Start by doing a detailed information audit.
• Make a separate list of children who are clients.
• Note down what information your salon software holds, where it came from and how it’s used. Don’t forget automated communications.
• Create an easy-to-understand privacy notice.

Join us!

Are you an NHBF Member? For less than 80p a day you’ll have access to a wide range of additional benefits that offer incredible value for money. We’ll help you boost your business while keeping you safe, legal and bang up to date with all the latest business legislation that will affect you. Benefits include:

• Our friendly membership helpline for everyday business support.
• Free 24/7 legal helpline.
• Essential health & safety kits.
• Free tax and commercial helpline.
• Free Member-only in-depth guides about all aspects of running your business.
• Savings and discounts on business essentials.