Support Center

GDPR Compliance Checklist

Last Updated: May 23, 2018 03:44PM UTC
Whilst there is no easy way to make your business GDPR compliant, here at Salon Iris, we want to make the process as simple as possible. That is why we have created a few simple steps you can take to get you on the way.

Step One: Staff Awareness

It is important that you let all of your staff know about how GDPR will affect them in relation to how they deal with customers. Arrange a team meeting and let your staff know about how these changes will affect them. The most important thing being how they ask for consent from customers in relation to marketing, the rights of the customer to change their consent and stressing how important data protection is. It may be worth putting up reminders of key points in the staff room and issuing a hand out to your staff so they know exactly what they need to do.

Step Two: Documenting the information you hold

You should start a document of what information you hold in relation to your customers, where it came from and who this information is shared with. You can find more information about this by clicking here.

Step Three: Consent

You should set up a "best practice" for how you gain customer consent (Essential services such as appointment reminders, surveys/reviews do not require consent as they are deemed to be of legitimate interest to both the customer and the business and are not for marketing purposes).

You MUST make sure that new clients are not 'opted in' for marketing by default (click here for a guide on how to set this up) and you MUST make sure your staff know to ask clients for their consent in this regard (see Step One for Staff Awareness)

Existing customers can be viewed in a number of ways in relation to the consent that they have given for marketing emails. There are a few ways to deal with this and you can read more about it by clicking here.

You should ideally take steps to remove clients who haven't visited your business after a 2 year period (these clients should be marked as 'inactive'. A guide for doing this can be found here). You may keep business critical information on your clients (in relation to previous sales of services and/or products for financial reasons, formula histories etc). A guide on printing out this information can be found here.

You SHOULD NOT delete clients from your database as this will affect your financial records. You can remove certain client information that is not important to these transactions (such as names, client mailing address, email address, phone numbers etc). You should also make sure to untick the marketing boxes if they are set to receive marketing emails. There is a guide for removing clients here.

Any client may contact you to ask to be 'opted out' of marketing at any time. To do this, just go into a clients information and untick the box for marketing accordingly. Any customer who receives a marketing email from within Salon Iris has a link to be able to unsubscribe from these at any time (as these are a requirement of our system). You should always make sure that you clearly state that a client may unsubscribe at any time.

You should make a point of not marketing to children under a certain age (under 14 is what we recommend)

Step Four: Make Sure You Can Deal With Individual Rights & Subject Access Rights

GDPR includes the following rights for your clients;
  • the right to be informed of the fact that you are collecting and storing their data and why.
  • the right of access to the data that you have collected on them
  • the right to rectification if they want to correct or change any Personal Data you have about them.
  • the right to erasure and have their Personal Data be deleted from your records.
  • the right to restrict processing while you still hold their Personal Data.
  • the right to data portability and the transfer of their information to another business.
  • the right to object
  • the right not to be subject to automated decision making including profiling
  • the right to be notified of any breach of their data with 72 hours.

You should check over the procedures you have in your business to make sure that all of these rights are covered. Most of these are dealt with by making sure a clients information can be forgotten, printed and by managing consent in relation to marketing. The business owner/manager should take on the responsibility of making sure that methods for these are put in place.

Step Five: Privacy Policy

All businesses should have a privacy policy that talks about how you deal with customer data, how it is used and how it is shared, if shared at all. You should also include information for clients on your lawful basis for processing data, data retention periods (in relation to business critical information as well as personal data) and that clients have a right to complain to the ICO if they believe their information is not being handled correctly. You must make these points in a clear and concise manner so it is easy to understand. We have drafted a rough template for a privacy policy which you may use in your business where details are applicable. This is available here.

Ideally, you should email a copy of your updated Privacy Policy to your clients if you do any email marketing (whether through Salon Iris or 3rd party software using Salon Iris data) to make them aware of it being updated/implemented. All marketing emails sent from Salon Iris MUST include an unsubscribe option. You may wish to make it clear to your customers that they can opt out of marketing emails at any time by clicking unsubscribe.

You can find an example of an email to send clients by clicking here.

Step Six: Data Breaches

If you suffer a data breach that is likely to result in a risk to the rights and freedoms of clients and/or staff (for example, if it could result in damage to the reputation of the business, financial loss, loss of confidentiality or result in discrimination or any other economic or social disadvantage, then you should notify the ICO of this breach. If a breach is likely to result in a high risk to the rights of your clients and/or staff in relation to any of the above, then you should also notify the parties involved.

Data breaches can be protected by applying a database password to your over Salon Iris package and by applying security to the internal system itself to prevent staff from accessing certain areas of the system. Information on both of these features is available on our Knowledge Base (Database Password & Passwording Salon Iris).

And finally...

It is important to remember that technology alone is not the answer to all of the GDPR compliance rules. Salon Iris is part of your business, but not your whole business.

The above tips are designed to try and show that it isn't all doom and gloom in implementing GDPR compliance into your business and into your copy of Salon Iris. However, we are not legal representatives, the terms of GDPR can affect businesses in their own way and this is down to business owners to make sure that they are fully covered. You may find it in your best interests to speak to legal counsel in order to make sure your whole business is fully protected before the May 25th deadline.

If you require any more information on GDPR, then please go to the ICO Website.

Contact Us

  • Email Us
  • Call us on 0121 314 4402 (option 2) to speak to a member of our support team or email us at (Support plan & Subscription customers only)
seconds ago
a minute ago
minutes ago
an hour ago
hours ago
a day ago
days ago
Invalid characters found