Getting your salon ready for GDPR
With the General Data Protection Regulation (GDPR) just around the corner, businesses are facing a race against the clock to achieve compliance in time for its arrival in May.
Companies must take the new changes seriously and work quickly to understand the new regulation and what action is needed from them.
The basic principles will be the same for every business, starting with a plan that is devised by the individuals responsible for pushing through change within your organisation.
Remember, if your data is captured, processed or used in the EU, you are obligated to comply – the UK’s decision to leave the EU has no effect on the new regulation.
Raise awareness and register it
First, it is important that key decision makers understand the importance of compliance, and that failing to meet requirements could result in costly legal proceedings. Recording the compliance process is an effective way of showing your willingness to meet regulation rules, and could save you unnecessary trouble later down the line.
Also known as the ‘Data Register’, this record details the personal data you currently hold, your reason for holding it and where the data originated from. The accountability principles of GDPR require you to have a complete record of your data – adopting new procedures and processes to streamline functions.
Compliance is not about preventing you from doing things – instead, it helps improve standards by questioning your reasons and motives. Make sure you review your processes for searching for, capturing and recording personal data, including how you obtained consent from the individuals concerned.
Also review your existing digital and hard copy format privacy notices and policies - are they concise, written in clear language, easy to understand and easily found?
Finally, look closer at the way these policies and notices are currently communicated to your data subjects. Your reasons for using their personal data should be clearly explained, as should the complaints process if they feel dissatisfied with your service.
Rights of the indivdual
GDPR aims to give individuals greater control over their personal data. For this reason, it is crucial that existing procedures for dealing with personal data are reviewed and amended where necessary.
Data subjects now have the right to request their data be edited or erased, and it is up to your organisation to ensure procedures are in place to deal with such requests.
Perhaps one of the key drivers for the changes is the right for an individual to prevent their data being used for direct marketing purposes, as is the right to challenge and prevent automated decision making and profiling.
Regardless of complaints or investigations, adopting transparent procedures will help mitigate any future problems with the regulator. If your organisation already takes care handling personal data under the existing laws, then the transition to GDPR should not be a cause for concern.
Prepare for personal requests
If an individual makes a subject access request, you must comply within a month. You can refuse to comply if you think the request has no merit – but you must tell them why and explain that they can complain to the regulator.
For SMEs, it will be more important to show a willingness to comply by trying to implement all the necessary steps and creating a data register, than to be fully compliant in May.
Never assume you have consent
One of the trickier areas of the new regulations is obtaining consent for personal data to be captured and used for more than just contact.
Individuals must give clear consent for their data to be used, but must be allowed to revoke consent easily, at any time. If you change the way you want to use their data, you must obtain a new consent.
Consent must be implicit and your attempts to obtain or confirm consent will help mitigate any future problems at the hands of the regulator.
Keep reviewing and keep recording
Under the GDPR and when you are obtaining and processing personal and sensitive categories of data, you need to record how this data will be retained and under what condition; for example, is the retention period required for legal, regulation and/or organisational purposes.
The new regulations bring a requirement for all businesses affected by the GDPR to not only have a retention (data minimisation) policy and schedule, but to carry out mandatory Privacy Impact Assessments (PIA) if they want to process personal data as part of normal business practices, if it is to be processed on a new technological or information society system, or if it contains sensitive categories of data.
These assessments will help you decide what are the likely effects on the individual, mitigate any risk and help you build in “privacy by design” in how you obtain and process individuals’ data. Ensure you have a robust process for making the assessments and then record it, along with the outcome – a PIA is a simple step towards compliance, with the emphasis on what you do, rather than what you say you will do.
Make someone responsible and keep it up
If you deal with personal data on a regular basis, then it may be worth employing a dedicated Data Protection Officer who can oversee procedures, ensuring your organisation is fully compliant at all times.
It’s not just electronically held data that can pose a problem; you also need to consider written records, which are covered by the regulations – ensure all your staff are trained on the correct handling of personal data.
Remember, track all your progress using your Data Register, as it will be those organisations without proof of their willingness to comply that will suffer the consequences once GDPR has been introduced.
Even if you are not fully compliant come May, those organisations that can prove they have made an active effort to meet requirements may receive a lesser punishment than those who have completely disregarded the new changes.
Paula Tighe is a qualified data protection professional and leads the trusted advisor information governance service. Experienced in working with small, medium and large private and public bodies, Tighe advises on a range of data protection issues, including training design and delivery, marketing, housing, project management and ICT security.