A focus on GDPR & what it means for your business

Metta Francis, Scratch Stars award-winning mobile nailist, puts a focus on GDPR…

Are you GDPR ready?

On 25 May 2018, EU’s General Data Protection Regulation (GDPR) came into effect. It sounds scary and can be overwhelming but the purpose of GDPR is to ensure there’s greater transparency on how businesses collect, store and use data and that it is protected. If you’re not quite GDPR ready, or have left it until the last minute, have a read of the key areas that will affect you as a mobile/freelance nail technician.

Privacy policy

You will need to have a clear privacy policy outlining how you intend to collect, use and protect your clients’ data. If you only use the data for record keeping and insurance purposes, it doesn’t need to be lengthy, an addition to your website and/or consultation form is likely to be sufficient. You will need to provide details of the data protection officer (yourself) so your clients can contact you if they wish to access, amend or request for their data to be removed. Ensure your existing clients are aware of the your updated policy by providing them with a link or paper copy.

Capturing data

As nail technicians, we mainly capture clients’ data via Consultation Forms and you may need to tweak your form to ensure it is GDPR compliant. Let your clients know how long you will keep their details/Consultation Form for (as per your insurance policy, usually 7 years).

You will need to provide a clear description as to why you are collecting information. For example, to identify any potential allergies, to understand clients’ treatment preferences, to understand clients’ lifestyle for product and service recommendations. Information that is required for insurance purposes should be marked as mandatory and “nice-to-know” fields marked as optional so your clients have to choice to answer. When updating forms with notes, ensure they are legible and inoffensive as your client has the right to see their record.

Storing data

If you use paper consultation forms, make sure they are stored away safely and securely. If using an online consultation form, online storage (e.g. Google Drive), and “public” email e.g. Google, Hotmail, Yahoo! Etc, ensure the providers are GDPR compliant and the data they “look after” is secure – contact the online form provider/website for confirmation and if not, switch before GDPR comes into place.

Permissions

If you intend to use your clients’ data, you must explicitly ask them for permission. GDPR states that each type for usage needs to be separated out. For nail technicians, usage could relate to sending appointment reminders and special offers/newsletters. If you have taken your client’s email address or telephone number with the intention of sending appointment reminders and automatically added them to your waiting/cancellation list, newsletter etc, this is not allowed.

For example, you will need to request clients’ permission for each of the following:

• Please tick if you a happy to be sent appointment confirmations via:
  • Text
  • Email

• Please tick if you a happy to be added to the cancellation list and sent notifications when last minute appointments become available:
  • Text
  • Email

• Please tick if you are happy to receive special offers via:
  • Text
  • Email

• Please tick if you are happy to receive our monthly newsletter which contains latest news, nail tips and promotions:
  • Email

You’ll have to give clients the option of opting out of any of your subscriptions, at any time.

Photography

Under GDPR, photographs – including hand and nail photos – can be classed as personal information. You will need to have explicit consent from your clients that you can take a photo of their nails (and themselves if taking a photo of their faces) and use it on your website, social media etc, even if you don’t intend to use their name. You can add this as an additional permission field on your consultation form and for existing clients, you can ask for verbal permission – just remember to make a note of the date they provided you with permission so you have a clear record.

Children pamper parties & treatments

If you treat children and/or provide children pamper party services, you’ll need to investigate the children specific GDPR guidelines as it is more in-depth. At a minimum, parents/guardians must provide consent before you collect any personal data from children.

Is your website complaint?

Chances are, unless you have installed any extra cookies you website will be compliant but useful tool Cookie Bot will run a free scan for you: https://www.cookiebot.com/en/ If you do run cookies, you’ll need a Cookie Notice and Cookie Policy.

Please note this post only scratches the surface of GDPR and if your business is more complex (salon or larger scale), it’s likely you will have other areas to review and investigate. Please refer to the your salon software provider and the Information Commissioner’s Office website (https://ico.org.uk) for more resources, including a handy interactive quiz which will determine if you need to register with the ICO.

Metta Francis

Follow Metta on Instagram, Facebook and Twitter.