GDPR is Great!!

gdpr May 03, 2018

GDPR is Great!

And, you don’t need a seminar to understand it!!

So, let’s stop all the scary stuff and break it down - it’s very simple, straightforward and makes good common sense. It’s NOT bureaucracy gone mad!.

However let me be clear, this is not a definitive guide to GDPR and is just my own opinion, views and advice based on everything I’ve learnt myself about this subject.

I was listening to Christopher Wylie’s (The facebook/Cambridge Analytica whistleblower) testimony to the Commons Culture Committee and he said something that made so much sense.

“The world today runs on data - it’s a new world’s electricity, and just like electricity, it’s really useful, valuable and powerful. But, just like electricity, it can be dangerous if it’s not used wisely. We have safeguards and standards in place when using electricity - we need the same for data!”

So, it’s good to have our data protected better - I’m sure you want your data protected as a consumer? Well, we can’t expect that from other companies and not be prepared to do it ourselves!

However, it’s also great for your marketing. I find that so many salons have lots of data but we aren’t using it well - GDPR will force us to use it better as it will give us clear targeting opportunities.

A ‘targeted list with permission granted’ is between 10-20 times more valuable than a general database - in other words

just 200 clients who ‘want’ to listen to you is similar to a general database of between 2-4000 email addresses.

Just because I’ve given you my address doesn’t mean I'm inviting you round for dinner! Well, it’s the same in the digital world - just because you have my email address doesn’t mean I’m inviting you to keep popping into my inbox! We have all been making this mistake (ourselves included) and the result is that people ignore 90% of what arrives in their inbox. (Even if they had wanted to read it!)

GDPR will cut out so much of the rubbish spam we receive, which in turn means that the client who has given you permission is more likely to read your email as it won’t be lost in the crowd of rubbish and they have a level of trust in you.

Anyone who has attended my online marketing seminar will be familiar with this question? Would you build a house on rented land?

Obviously not!

Well, let’s be clear, as useful and important as social media is, it’s rented land. You need 'email data' not just social media friends and followers. Email is building a list on land you own - the only person who can take it away is the owner of the email address.

For example just look recently at the dramatic drop in the engagement that Snapchat has had recently - there is even talk of problems at Instagram due to the new algorithms. Neither is about to fold - but if you have ‘built your house’ solely on a social media platform you are always in potential danger.

As I always say - Don’t be online - use online! Use it to get people to your list - when you have an email address with granted permission you have something very valuable.

So… GDPR is good - it’s going to force you to turn your huge random database into a targeted list of people who have given you permission to talk to them - brilliant! Plus it’s going to get rid of all the rubbish in peoples inbox giving you a better chance to engage.

So, what do we need to know about GDPR?

Well, the first thing is that the deadline is the 25th of May 2018 - a few weeks time. Please note; anything I say here is not an excuse to miss the deadline!

However, let’s stop the panic and look at what needs to be done and what might happen if you miss something. There is a lot of talk about fines of £20 million or 4% of global turnover - whichever is higher! There is the first clue - whichever is higher!! So the minimum fine is £20 million!!! So they clearly aren’t talking about the average hairdressing salon :)

Everything I’ve looked at and everything my common sense brain tells me is that it will work much like health and safety - you may get an investigation for some reason at some time in the future - If you have taken absolutely no notice of GDPR then they aren’t going to be very happy with you obviously - however, assuming that you have made the most relevant and important changes needed but may have missed something, then I’m pretty sure that you will get a slipped wrist and told what needs to change and by when - can you imagine if the first step was to levy a fine! We would be taking to the streets!!

So, once again, this is not an excuse to ignore GDPR or the deadline, but simply to just calm down - I’ve seen seminars being advertised to be GDPR compliant and some people paying an outside source a lot of money to help - this is nuts - most of the data we hold is in your software system and you can be sure that they will be GDPR ready.

OK - what needs to be done!

There are just 4 things about the data you hold that may need to change.

  1. What data you hold and how you get it

  2. What you do with it when you’ve got it

  3. How long you keep it for

  4. How safe it is


The key here is that you can only collect or hold data that is relevant to the services you provide.

Let’s look at what data a salon collects. It’s actually very simple - we aren’t using algorithms, data mining, secondary marketing or asking for sensitive personal information etc. which is why you need to ignore all the scaremongering going on - it’s simply not relevant to us.

We hold specific client details that are relevant.

Name - obvious!
Phone number - if you need to notify a client of a change to your appointment by phone or text, remind them of an appointment and to provide them with marketing content that is directly relevant to the salon.
E-mail - same as above
Client record - Important information regarding style, colour recipe, and the dates of any skin test
Payment details - This information should only be kept within your software system, merchant server or bank - anywhere else is not secure and if for any reason it’s ever recorded anywhere else - written down etc. (it shouldn’t be, but realistically it may be sometimes) it must be destroyed immediately (with a cross-cut shredder. BTW, this is a requirement - damn, should have got into the cross-cut shredder business!).
This information should never be used for anything other than the purpose it was provided for.

Any other data we might have collected in the past is not relevant to the services we offer. If you wish to know your client’s birthday, for example, one could question why you need to know that? However, if you can answer that question, it would then become relevant. If you give a discount or gift on their birthday - then you have a reason for knowing their birthday.

It’s pretty obvious really - just look at all the data you collect and if there is anything that you can’t say is relevant - stop collecting it!

Now let’s look at how you collect it.

Any data you now collect has to have specific consent and you have to have proof of that consent.

So, quite simply everyone has to opt-in and give agreement for you to collect their data. The old days of websites etc. having an ‘opt-out’ (a tick box saying please DON”T send me stuff) will change to an ‘opt-in’ “please send me”. 

 Here is a great example I received recently…

And here is the privacy policy page that the click-through goes to:

Double Opt-in

As we actually need an ‘opt-in’ for a lot of the data we collect in order to operate efficiently, you might want to create something called a ‘double opt-in’.

The first 'opt-in' is to agree to the use of the information for operational purposes - booking info etc. with a second one to agree to the use of the data for marketing.

As you can see, the previous example has lumped it all together in their privacy policy, which is fine, however, I would worry that someone who doesn’t want your marketing ends up refusing to give permission to use their data for operational purposes which could impact on your efficiency.

Finally, if there is certain information that is perceived to be critical to the service you offer for operational or health & safety reasons you don’t have to have an opt-in - however once again it can only be used for its original purpose.

So we need someones name for a booking (operational) - it would be ridiculous to get consent for that, or we need to keep a record of someone's patch test or allergy information (safety).


You can only collect data that is relevant to the service you are offering and you must get permission (Opt-In) for the specific use of that data.



If you understand point one - then point two is pretty straightforward - you can only use the data you collect for the purpose for which they have given permission.

Marketing can be quite vague of course, you don’t have to get permission for every email etc.

BTW - if you are thinking this is all pretty straightforward - it is! Most of it is happening anyway - the big change is that it’s now an opt ‘in’ rather than ‘out’ and the permission is specific.

Think of how you would like the companies you deal with to use your personal data and then make sure you are operating the same way - you won’t go too far wrong. 


You cannot use that data for anything other than what the permission was given for.



 Three things here: 

  • The right to be forgotten

  • The right to see what data is being held for you

  • Data should be kept for no longer than is necessary for the specific purpose that permission was granted for.

‘The right to be forgotten’ is simply that there should be a clear and simple process to request to be unsubscribed and/or any data being held on them to be destroyed.  If you look at the example I showed you earlier you can see this in their terms and conditions. Make sure there is an option to unsubscribe in the footer of every email/text.

The right to see what data is being held’ is simply that there should be a clear and simple process to request you to provide details of any data you hold for that person - you have 30 days to comply with that request. Please note this applies (as it all does) to your employees. Any individual that you hold data on comes under GDPR.

Again, don’t panic - look at the type of data we have on our team - who is seriously going to say that their employer can’t have that data for the reasons it’s needed. Now if you were passing their details on to a 3rd party without their permission etc well, of course, that’s different - but who’s doing that?!

However, please be aware that your team can legally request to access to whatever data you have. As has been the case for a long time BTW! (So be a bit careful what you write in employee records!!)

‘Data should be kept for no longer than is necessary’ In other words - the data should only be kept as long as needed. 

This one is very vague - how long is too long? Well, the average period during which someone may re-purchase or purchase a new product or service from the same company is 50 months (that’s a general business stat, not an industry figure). Therefore one could argue that it’s ok for you to send marketing emails (assuming opt-in of course) for 50 months on the understanding that someone could still purchase from you.

Basically, if you keep your database clean - you should be doing this anyway with a marketing ‘we’ve missed you’ incentive if a client hasn’t returned within a specific period of time - then you shouldn’t have to worry about this one.


You must show a clear and simple way for your customer to request removal from your database and the destruction of any records as well as a clear and simple way to request information about the data you hold on them.

You should only hold data for as long as its needed for the specific purpose that permission was granted for. 


You have a responsibility (same as you do now) to keep any data on individuals safe and secure.

Your software provider, merchant service provider and the bank have the responsibility for most of this, however, if you are keeping data anywhere other than a legitimate outside party (CRM databases, Mailchimp etc) then you must ensure that you have taken relevant safety measures to keep that data safe from everyone! Not just hackers, other employees or even other customers (has someone's record been left open on the computer for all to see etc.) But once again - no panic - surely you are currently respecting this - if not, well now is the time to get your act together.

I would suggest that you look into something like LastPass - a strong secure way to keep passwords safe. Let’s say that you keep data in the cloud on google docs or iCloud. If someone hacks your email because your password isn’t strong enough then they now have access to that data! Of course in this day and age, you can’t be expected to guard against people who can hack into the FBI!… but you have to show you haven’t been negligent. Think about it like insurance - you won’t get far claiming for a laptop stolen from your car if you left it on the seat with the window open!

Finally, in this area, you have a responsibility to inform the authorities and anyone affected by a breach of your data within 72 hours of you becoming aware of it. 


You have a responsibility to keep any data you hold safe, secure and private and you must advise the local supervisory authority within 72 hours of becoming aware of any breach of your data security.

Ok, that’s it - As I said at the beginning this is not meant to be a definitive guide - I just wanted to lay it out as I see it. The best people to help you with specifics are your software provider, merchant services and the NHF.

If you are doing a lot of email marketing etc, then I would also suggest you search Google for GDPR and small business marketing, rather than just GDPR. You get much better information.

Have fun, Alan




Stay connected!

We love helping people to become more successful in all areas of their lives and we have a variety of ways of doing this. If you'd like to get to know us better and access our huge knowledge bank for free - we've created a cracking blog, packed full of really brilliant, thought provoking and inspiring content. Plus, be the first to hear about our very exciting upcoming plans and occasional offers. Just sign up below to access :)


50% Complete

Two Step

We promise we will protect and guard your data as if it was our own. We also hate spam! - So we will be very selective with the content that we send to you - quality, not quantity!

Please enter your details below to access our fantastic blog - plus be the first to hear about our very exciting upcoming plans and occasional offers.