Step One: Staff Awareness
It is important that you let all of your staff know about how GDPR will affect them in relation to how they deal with customers. Arrange a team meeting and let your staff know about how these changes will affect them. The most important thing being how they ask for consent from customers in relation to marketing, the rights of the customer to change their consent and stressing how important data protection is. It may be worth putting up reminders of key points in the staff room and issuing a hand out to your staff so they know exactly what they need to do.
Step Two: Documenting the information you hold
You should start a document of what information you hold in relation to your customers, where it came from and who this information is shared with. You can find more information about this by clicking here.
Step Three: Consent
You should set up a "best practice" for how you gain customer consent (Essential services such as appointment reminders, surveys/reviews do not require consent as they are deemed to be of legitimate interest to both the customer and the business and are not for marketing purposes).
You MUST make sure that new clients are not 'opted in' for marketing by default (click here for a guide on how to set this up) and you MUST make sure your staff know to ask clients for their consent in this regard (see Step One for Staff Awareness)
Existing customers can be viewed in a number of ways in relation to the consent that they have given for marketing emails. There are a few ways to deal with this and you can read more about it by clicking here.
You should ideally take steps to remove clients who haven't visited your business after a 2 year period (these clients should be marked as 'inactive'. A guide for doing this can be found here). You may keep business critical information on your clients (in relation to previous sales of services and/or products for financial reasons, formula histories etc). A guide on printing out this information can be found here.
You SHOULD NOT delete clients from your database as this will affect your financial records. You can remove certain client information that is not important to these transactions (such as names, client mailing address, email address, phone numbers etc). You should also make sure to untick the marketing boxes if they are set to receive marketing emails. There is a guide for removing clients here.
Any client may contact you to ask to be 'opted out' of marketing at any time. To do this, just go into a clients information and untick the box for marketing accordingly. Any customer who receives a marketing email from within Salon Iris has a link to be able to unsubscribe from these at any time (as these are a requirement of our system). You should always make sure that you clearly state that a client may unsubscribe at any time.
You should make a point of not marketing to children under a certain age (under 14 is what we recommend)
Step Four: Make Sure You Can Deal With Individual Rights & Subject Access Rights
GDPR includes the following rights for your clients;
- the right to be informed of the fact that you are collecting and storing their data and why.
- the right of access to the data that you have collected on them
- the right to rectification if they want to correct or change any Personal Data you have about them.
- the right to erasure and have their Personal Data be deleted from your records.
- the right to restrict processing while you still hold their Personal Data.
- the right to data portability and the transfer of their information to another business.
- the right to object
- the right not to be subject to automated decision making including profiling
- the right to be notified of any breach of their data with 72 hours.
You should check over the procedures you have in your business to make sure that all of these rights are covered. Most of these are dealt with by making sure a clients information can be forgotten, printed and by managing consent in relation to marketing. The business owner/manager should take on the responsibility of making sure that methods for these are put in place.
You can find an example of an email to send clients by clicking here.
Step Six: Data Breaches
If you suffer a data breach that is likely to result in a risk to the rights and freedoms of clients and/or staff (for example, if it could result in damage to the reputation of the business, financial loss, loss of confidentiality or result in discrimination or any other economic or social disadvantage, then you should notify the ICO of this breach. If a breach is likely to result in a high risk to the rights of your clients and/or staff in relation to any of the above, then you should also notify the parties involved.
Data breaches can be protected by applying a database password to your over Salon Iris package and by applying security to the internal system itself to prevent staff from accessing certain areas of the system. Information on both of these features is available on our Knowledge Base (Database Password & Passwording Salon Iris).
It is important to remember that technology alone is not the answer to all of the GDPR compliance rules. Salon Iris is part of your business, but not your whole business.
The above tips are designed to try and show that it isn't all doom and gloom in implementing GDPR compliance into your business and into your copy of Salon Iris. However, we are not legal representatives, the terms of GDPR can affect businesses in their own way and this is down to business owners to make sure that they are fully covered. You may find it in your best interests to speak to legal counsel in order to make sure your whole business is fully protected before the May 25th deadline.
If you require any more information on GDPR, then please go to the ICO Website.