GDPR Is Coming, Are You Ready?

You might have noticed your mailbox filling with requests from companies, asking you to keep in touch and update your marketing preferences. This is part of the new EU data regulation, GDPR, which is being introduced on the 25th May 2018…

Nouveau Lashes understands GDPR (General Data Protection Regulation), the new piece of EU legislation, can seem very daunting. Worry not! We are here to help. Nouveau Lashes is passionate about supporting our trained lash technicians to ensure lash businesses offering our treatments are successful and clients who love our lashes understand what it means for them, so we are sharing these six simple principles that make GDPR easier to understand.

The 6 principles of GDPR:

1. Personal data must be processed lawfully, fairly and transparently
2. Personal data can only be collected for specified explicit and legitimate purposes
3. Personal data must be adequate, relevant and limited to what is necessary for processing
4. Personal data must be accurate and kept up to date
5. Personal data must be kept in a form such that the data subject can be identified only, as long as is necessary for processing
6. Personal data must be processed in a manner that ensures its security

So, what does the term ‘personal data’ mean?

Basically, ‘personal data’ means absolutely anything that could allow an individual to be identified. It’s the kind of information most lash businesses have that enables them to contact clients regarding appointments and details needed to safely carry out treatments, such as client record cards.

First steps:

Every business collects and uses personal data in a different way, so for specific legal advice you’ll need to contact the ICO if you’re in the UK or the General Data Commissioner (GDC) if you’re in the Republic of Ireland.

If you run a lash business and you’re wondering where to begin, here’s our advice to give you an extra little nudge towards the road to compliance:

• Conduct an information audit – look at the information you hold, how you capture this data and how it’s used.
• Determine your ‘lawful bases’ for processing personal data – there’s more on this coming up.
• Identify potential risks and any areas of your business which are not compliant – contact the ICO or GDC on the necessary changes you need to make.
• Where required, seek renewed consent from customers – again, there’s more details on consent to follow.
• If you have employees, ensure they are fully aware of GDPR and the new steps you’ll need to take in your business.

Understand how to cover ‘lawful bases’ for processing data

To be able to use client data under the new legislation, one of these lawful bases must apply:

1. Consent: the individual has given clear consent for you to process their personal data for a specific purpose.
2. Contract: the processing is necessary for a contract you have with the individual, or because they have asked you to take specific steps before entering into a contract.
3. Legal obligation: the processing is necessary for you to comply with the law (not including contractual obligations).
4. Vital interests: the processing is necessary to protect someone’s life.
5. Public task: the processing is necessary for you to perform a task in the public interest or for your official functions, and the task or function has a clear basis in law.
6. Legitimate interests: the processing is necessary for your legitimate interests or the legitimate interests of a third party, unless there is a good reason to protect the individual’s personal data which overrides those legitimate interests. (This cannot apply if you are a public authority processing data to perform your official tasks.)

Some of these might not apply to your business, but it’s important you can pick out the ones that do.

Extra consent information

GDPR ensures very high standard for consent are met, but what does it mean? Consent means offering clients a genuine choice and control over how their data is used. There are some important key points that businesses need to take into consideration before GDPR comes into action:

If you send marketing communications to clients, you’ll need them to renew their consent to ensure it is compliant with the new regulations. If you don’t, you won’t be able to send them marketing information come 25th May 2018.

• The consent option must be separate from accepting all other T&Cs.
• It must be specific – as well as asking if your client is happy to receive marketing, you will need to specifically ask the ways in which you will contact them (phone, email, text, etc.), to ensure they have gave consent to their preferred option.
• You must let your clients know they can opt-out at any time.
• You’ll need to regularly review the personal data you keep and record any changes.
• Only those over 13 years old can provide consent, otherwise you will need parental consent.

What to do in the event of a breach

Under GDPR, a breach is defined as “a breach of security leading to the destruction, loss, alternation, unauthorised disclosure of, or access to, personal data”. As long as you follow the ICO’s guidelines this shouldn’t be anything to worry about. However, if there’s a breach that is likely to result in a risk to the rights and freedoms of individuals, you must notify the ICO within 72 hours of becoming aware.

Does all this apply to my business?

Yes! It doesn’t matter whether you’re a busy salon using an online booking system with multiple employees or a part-time freelance technician with a paper diary, the new regulations apply to all businesses that collect personal data.

We know you could feel overwhelmed with GDPR guidelines. If you have any questions, no matter how big or small, there are organisations to help. You can visit the ICO website, where they have lots of information related to small businesses, including a ’12 steps to take’ infographic and a handy checklist. If you’d prefer to talk to someone directly, stylists in the UK can contact the ICO helpline on 0303 123 1113 (select option 4 to be diverted to staff who can offer support). Those based in the Republic of Ireland, your first port of call is General Data Commissioner.

If you’re based outside the UK, a full list of the Data Protection Authorities for all EU countries can be found here.

Disclaimer: The above suggestions should not replace professional legal advice. Be sure to contact the relevant authorities for legal advice for your business.