Data protection laws got tougher when GDPR came into force on 25 May 2018. Your hair/beauty salon or barbershop must understand and comply with additional data protection laws as set out in GDPR.

Guide to GDPR

Download our detailed Members-only guide to GDPR

Download our GDPR toolkit which includes templates to help you comply with GDPR.

Not yet a Member? Join us now for less than 75p a day to access this user-friendly in-depth guide and make sure you are complying with GDPR.

This blog post covers:

Don’t bury your head in the sand

There are substantial financial penalties for non-compliance, so this isn’t one for the ‘nice to have’ pile. The law says your hair/beauty salon or barbershop must follow the rules set out in GDPR.

What is GDPR?

GDPR stands for General Data Protection Regulation. It replaced the Data Protection Act 1998 (DPA).

If your salon or barbershop is currently complying with the DPA you will have a good starting point to build on.

Take steps to protect yourself against an online cyber attack.

Cyber security

What salon/barbershop data does GDPR cover?

GDPR applies to all the personal data your hair/beauty salon or barbershop holds about people, both electronically on computers and on paper (for example, client health questionnaires). It is safest to assume that it covers personal information held in any format.

Under GDPR you need to review all of your contact information and the way you use it, including email addresses, postal addresses, text and mobile phone numbers.

Keep staff informed

It’s important to share updates with your team so they also understand what’s happening and what their responsibilities will be.

Stay positive!

Data protection can seem like yet more ‘red tape’ and ‘jumping through hoops’ for little reward, but it’s better to look on it as a positive for your hair/beauty salon or barbershop. You will be seen as a trustworthy, privacy-savvy hair or beauty business that inspires trust and loyalty.

What’s new for your hair/beauty salon or barbershop?

This is not a complete list of all the GDPR requirements for your hair/beauty salon or barbershop, but it offers a good general overview of things you’ll need to consider:

[1] Salon software

If you use salon software, you will need to review the personal data you record and how you use it, including automated communications such as appointment reminders or birthday gift cards. Many salons and barbershops hold a wide array of personal information about clients and staff on their salon software, and use it for various reasons such as marketing, allergy test results, colour notes and missed appointment records.

Remember that salon software will use contact details to send automated messages and you will need to review this function to ensure you are complying with GDPR.

Your software supplier should be ready and able to offer updates and general advice to ensure your hair/beauty salon or barbershop complies with GDPR.

Software

[2] Provide information

If requested, you will have to provide your employees and clients with the information you hold about them free of charge, and they will have the right to correct any information that is wrong. Information must be provided within one month of receiving the request.

[3] Right to be deleted

People have the right to ask you to delete the data your hair/beauty salon or barbershop holds about them unless there is a good reason not to.

[4] Marketing

This is a big change. You probably send many clients appointment reminders, e-newsletters, special offers, newsletters, birthday vouchers and seasonal greetings.

Under GDPR, you must comply with strict rules about contacting clients with marketing messages. As part of this you will also have to comply with:
• the existing Privacy and Electronic Communications Regulations (PECR): and
• the Telephone Preference Service.

Your clients must actively agree to receive marketing information from you. This means they must opt in – not be given the opportunity to opt out.

Existing mailing lists: you will not need to get new consent to send out marketing messages and newsletters to existing clients if certain conditions are met. For example, you must have collected their contact information as part of providing a service or product to them.

[5] Data breaches

A data breach is the loss, or unauthorised alteration or sharing of any of the personal data you hold about individuals. This can be deliberate or accidental. You must keep a record of any data breaches and report serious breaches to the ICO. Failure to do so could result in a significant fine.

[6] Employee contracts

The stricter data protection rules under GDPR also apply to the wording in employee contracts.

The NHF provides GDPR-compliant contracts free of charge to Members. Download our GDPR toolkit.

Start the GDPR ball rolling at your salon or barbershop …

[1] Information audit

As a first step, carry out an information audit. Set out clearly and in detail:

• The type of personal information you hold (both computer and paper records).
• Who gave you the information or where you got it from.
• If you have clear permission to use the information, for example, to send regular marketing messages.
• Who you share the information with.

For example, a typical salon or barbershop will hold:

• Clients’ names, addresses, contact details, allergy tests, and any relevant medical notes etc.
• Staff details, including contact details, salary, next of kin info, relevant medical information, CVs and job applications.

[2] GDPR and children

Under GDPR, children under 16 will be a special case: you may need consent from a parent or guardian to keep and use personal data about children. Make a separate list of all your clients who are ‘children’.

Children

[3] Salon software

Be particularly careful when it comes to salon software. Make a few detailed notes about what information it holds, where the information comes from, and how it is used. Remember to note down all those automated communications it carries out on your behalf as these will need to be reviewed to ensure they are still legal. Most software companies are working on making sure their systems are GDPR compliant, so expect more information to be coming from them too.

[4] Privacy notice

You will need a privacy notice that is easy to understand and publicly available. Your privacy notice should include:

• What personal data you collect.
• Why you collect it and how it is used.
• Who it will be shared with.
• When and why it will be deleted.
• What you will not use personal data for.

(This list is not comprehensive.)

GDPR checklist for hair/beauty salons and barbershops

• Don’t bury your head in the sand.
• Start by doing a detailed information audit.
• Make a separate list of children who are clients.
• Note down what information your salon software holds, where it came from and how it’s used. Don’t forget automated communications.
• Create an easy-to-understand privacy notice.

Join us!

Are you an NHF Member? For less than 75p a day you’ll have access to a wide range of additional benefits that offer incredible value for money. We’ll help you boost your business while keeping you safe, legal and bang up to date with all the latest business legislation that will affect you. Benefits include:

• Our friendly membership helpline for everyday business support.
• Free 24/7 legal helpline.
• Essential health & safety kits.
• Free tax and commercial helpline.
• Free Member-only in-depth guides about all aspects of running your business.
• Savings and discounts on business essentials.