It is very important to understand that we at Phorest will do our absolute best to make sure the software you are using is 100% GDPR compliant, however, there are just some things that we cannot advise on as we are not official GDPR officers. For that reason, we can only give you general advice on the law.
What is ‘personal data’?
GDPR defines personal data as:
“Any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person”
For you and your salon that means:
What is a data controller? What is a data processor?
GDPR identifies 2 core parties responsible for data protection - the data controller and the data processor. As a salon, you are the controller. You collect the data and choose how that data is collected and how to use that data for styles, colours, treatments, marketing, retail promotions, etc. In other words, you are making decisions on how your clients’ personal data should be collected and used.
Phorest Salon Software is a processor, as it is a tool that can help you do this. Salons using our software are using it to process and collect personal data - this is why it is so important to have a GDPR compliant software solution!
In the case of your staff’s data, for example, you are still the data controller, but your accountant or accounting software would be the data processor. This is also the reason why simply using GDPR compliant software doesn’t automatically make you 100% GDPR-compliant. This is also why we can't advise you on general GDPR compliance. You need to consider how you and all third-parties involved handle personal data.
What is consent?
Consent is the major keyword of this new piece of legislation. It is all about protecting and strengthening consumer rights and make them more aware of what businesses do with their personal data. GDPR sets very high standards for consent as it is a lawful basis for processing data. Your client needs to be fully informed and aware of what data you are collecting, why you are collecting it, and what you will use it for.
They also need to be given a real choice to actively opt-in. No more pre-ticked checkboxes for getting marketing consent for example. You’ll need to be precise and clear. Consent must be given freely and you will need to keep a record of when and how consent was given. You should review and refresh consent as appropriate. More information here.
What is a ‘data retention period’?
Under GDPR you need to apply data minimisation, that is to say, collect as little data as possible and only store for as long as you absolutely need it or as you are legally required to do so. Different data sets have different legal retention periods. You should ask your insurance company how long you should store the client’s medical data, for example. Staff data is another example of personal data you are legally required to retain for a certain period of time - even if that person makes a request to be ‘forgotten’ and to have all their data deleted.
You can set specific data retention periods in your Phorest system following these step-by-step instructions.
What is an audit trail and why do I need one?
An audit trail notes every action taken concerning personal data - from beginning to end. From the moment someone in your salon collects a client’s personal data, up until the client asks you to remove it - every action and process will have to be demonstrated and proved, detailing which staff member was involved, at what time it was, what the reasons for processing were and if the client consented to it.
If you don’t use a software, you might find it difficult to prove when a staff member accessed a client’s data, unless you have a log somewhere where everybody writes it down carefully and signs it. Even if you do use a software, make sure your software is GDPR compliant and uses for example PIN numbers and automatically keeps a precise trail of all actions and transactions concerning your client’s data. (Don't worry - we have made sure that Phorest does this!)
You will need to provide an audit trail in case you are being audited or in case a client or staff member makes a subject access request. This is an important part of GDPR compliance.
What happens if my salon is not GDPR compliant?
A few things can happen if you’re not GDPR compliant, all depending on the circumstances and severity of the breach. If you can show that you are trying your best to be GDPR-compliant, you might get away with a less severe reaction from the authorities who will investigate your case and examine your business and processes. Goodwill goes a long way!
The cost of non-compliance has 4 levels: A warning, A reprimand, A suspension of all data processing, and finally a fine that can be up to 4% of your global annual turnover or €20 million.
As you can see - it is important to get as well prepared as possible!
Is verbal consent enough to ask clients?
Yes, verbal consent is enough for your clients. If you want a written trail you would need to use our Consultation Forms or the new Smart Client Card to have the client fill in. This will automatically update their client card.
What information can I store about a client?
You can store any information needed and that is related to the client's treatments. You should be aware of the type of information that is inappropriate to hold. For example, a client's birthday is okay since you need to confirm their age for certain treatments. However, holding their occupation may not be appropriate depending on the type of treatment. For the likes of the Consultation Forms, you cannot ask any questions that are not related to the treatment. (You wouldn't ask for their blood type on a Patch test consultation form)
What about my client's card details?
Your client's card details are kept for online bookings in order for you to take No Show charges in case such a thing occurs. They are stored by a company called Stripe. If they request for those details to be deleted from the system you can simply ask us and we can erase them for you.
Which authority is responsible for data protection?
If you seek any further information regarding becoming compliant these bodies are the authority to go through:
Data Protection Commissioner
Ireland R32 AP23
Data Protection Commissioner
Information Commissioner's Office,
Cheshire, SK9 5AF
If you need any clarification on these points please get in touch with your GDPR consultant or contact us here in Phorest at firstname.lastname@example.org