Your hair or beauty business may receive a letter from the (ICO) Information Commissioner’s Office within the next week or two. Make sure you look out for it.
Don’t ignore this letter. You may need to check your salon or barbershop post to make sure you don’t miss it while your premises are closed.
The letter is about GDPR and is a reminder to businesses that they may have to register with the ICO and pay a data protection fee. Letters are being sent to the registered office addresses of limited companies which in some cases may not be the salon/barbershop address.
The deadline to respond to the letter which was 15 March 2021 has now passed.
This blog post covers:
- Most salons and barbershops won't have to register
- Operating CCTV or carrying out credit checks? You must register
- Check if you need to register
- Penalties for non-payment
You must register and pay the fee if you operate CCTV inside or outside your premises.
In addition, you may have to register if, for example:
- You are running your business as a franchisee.
- You are based in a hotel or spa.
- You carry out credit checks on clients.
Training provider organisations must always register and pay the data protection fee.
You can use the ICO’s self-assessment checker to help you decide if you need to register or not.
Important note: question 7 in the self-assessment has confused some people. Most hair and beauty businesses should answer ‘no’ to all the options as the activities described are not the main purpose of a hair or beauty business.
I haven’t received or can't find the letter, what do I do?
You will only receive a letter if you are a limited company and are not already registered with the ICO. You will not have received a letter yet if you are a sole trader or a partnership, but you may still need to register. If you are in any doubt, contact the ICO for help.
If you can’t find the letter, please ring the ICO on 0303 123 1113. Choose option 2 then option 1 and an adviser will be able to help you.
I hold client data on a computer, do I have to pay?
You are not usually required to register just because you hold client details on a computer, including skin test results or some medical information.
I take payments by card, do I have to pay?
You are not required to register just because you take card payments.
However, if you provide credit facilities and do credit checks on clients then you must register and pay the data protection fee.
Do I have to pay if I have a website?
You do not have to pay if you have a website that advertises only your own business and products.
Do I have to register because I write client information down?
Keeping a written record of your clients’ contact information so that you can remind them about appointments or let them know you have a special offer on does not mean you have to pay a data protection fee.
Do chair, space and room renters/mobile practitioners have to pay?
Chair/space/room renters or mobile practitioners would not usually be required to register even if they hold client contact, appointment and treatment details on computer.
Do I have to register because I have client's skin test results/medical information?
If you only hold medical information such as skin test results to allow you to provide a non-medical service for your clients, such as colouring/ waxing etc, you will not automatically have to register and pay the data protection fee.
What if I use an online booking system where data is stored on the cloud, not on the business’s computer?
You will not be required to pay because you use an online booking system even if the data is stored on the cloud and not on the business’s computer.
What data can I hold without having to pay the fee?
- Staff administration details including any training records for your own staff.
- Client mailing lists – you may use these to advise clients of any promotions or special offers etc. This is classed as advertising, marketing and public relations for your own goods and services.
- Clients' names, addresses, ages, birthdays, medical information and allergies.
If your business does have to pay the data protection fee and you fail to do so, you may be fined up to £4,000.
- Don't ignore your letter from the ICO.
- You must respond - even if you don't have to pay the data protection fee.
- Most salons and barbershops will not have to pay.
- You will have to pay if you operate CCTV, and in some other circumstances.
- If you are in any doubt, check with the ICO.
You may also be interested in...
Data protection laws got tougher when GDPR came into force in 2018. Your hair/beauty salon or barbershop must understand and comply with additional data protection laws as set out in GDPR. NHBF Members can download our free in-depth guide and templates. Find out more.