Are you GDPR ready?
The General Data Protection Register is edging closer and many are concerned that they are not ready, or some not even sure how this will affect them.
We have written this blog, hoping to clear up what GDPR means it is and what should be done to enforce the new regulation, which is being introduced this May.
So let’s begin with, what is GDPR?
The General Data Protection Regulations will change how businesses and organisations handle information of their customers or clients, as well as new rights for people to be able to access that information. In a nutshell, it is all about being 100% transparent to your client on how their personal data is protected
The new regulation comes into place on May 25th, 2018.
What happens if you are not GDPR compliant by May 25th, 2018
Failing to comply with the new requirements can result in costly legal proceedings. This means that should you be deemed non-compliant you will be fined 4% of your yearly earnings. For example: if your annual turnover is £40,000 a year you could be fined over £1,500.
What do you need to do to comply?
You or your business must be able to prove that the personal or sensitive information collected is done so for legal reasons and not collected for reasons such as marketing. Should a client make a complaint to a data protection agency, you will need to be able to prove how you used, collected and stored their data in detail.
What’s more, is if you take photos for marketing purposes you will now need to gain permission to be able to use their photos on any of your social media platforms.
The personal data you obtain will need to be updated, with the client giving permission given on a yearly basis.
GDPR predominantly affects personal data or sensitive information. What exactly is classed as personal data?
Information related to a person is classed as personal data, for example:
Name, address and date of birth
Photographs that identify an individual
What this means for consent and consultation forms for lash treatments.
As of May 25th, you are required to clearly outline the process of the collection of personal data. The information you should include on any consent or consultation form is as follows:
What exactly will the data be used for?
An option to opt-in for marketing purposes, there cannot be a pre-checked box asking clients to opt-out or words to the effect of ‘opt-out if you do not want…’
Obtain permission to use photographs taken for marketing purposes and state where the photographs will be posted.
Clients must be able to request that ALL of their information is deleted.
What happens if the information is requested by a client?
At any time, any of your clients can request a SAR under the General Data Protection Regulation. A ‘SAR’ is a ‘Subject Access Request’, this requires you to produce all information you hold on the client within 30 days of receiving the request.
The information you will need to provide to the client is as follows:
All contact information and any medical data you hold relating to the client
Why you have held that information
What you are using the data for
People you have shared the data with (if consent was provided)
How you collected the data, which can include a copy of the consent provided by that client.
How long you have held it for and how long you intend to hold it for in future if the client has requested the ‘Right to be forgotten’
The information we have provided on this blog details the basics of the GDPR for the lash industry. The full details can be found on the official General Data Protection Regulation Website