So, let’s stop all the scary stuff and break it down - it’s very simple, straightforward and makes good common sense. It’s NOT bureaucracy gone mad!.
However let me be clear, this is not a definitive guide to GDPR and is just my own opinion, views and advice based on everything I’ve learnt myself about this subject.
However, it’s also great for your marketing. I find that so many salons have lots of data but we aren’t using it well - GDPR will force us to use it better as it will give us clear targeting opportunities.
A ‘targeted list with permission granted’ is between 10-20 times more valuable than a general database - in other words
just 200 clients who ‘want’ to listen to you is similar to a general database of between 2-4000 email addresses.
Just because I’ve given you my address doesn’t mean I'm inviting you round for dinner! Well, it’s the same in the digital world - just because you have my email address doesn’t mean I’m inviting you to keep popping into my inbox! We have all been making this mistake (ourselves included) and the result is that people ignore 90% of what arrives in their inbox. (Even if they had wanted to read it!)
Well, let’s be clear, as useful and important as social media is, it’s rented land. You need 'email data' not just social media friends and followers. Email is building a list on land you own - the only person who can take it away is the owner of the email address.
For example just look recently at the dramatic drop in the engagement that Snapchat has had recently - there is even talk of problems at Instagram due to the new algorithms. Neither is about to fold - but if you have ‘built your house’ solely on a social media platform you are always in potential danger.
So… GDPR is good - it’s going to force you to turn your huge random database into a targeted list of people who have given you permission to talk to them - brilliant! Plus it’s going to get rid of all the rubbish in peoples inbox giving you a better chance to engage.
However, let’s stop the panic and look at what needs to be done and what might happen if you miss something. There is a lot of talk about fines of £20 million or 4% of global turnover - whichever is higher! There is the first clue - whichever is higher!! So the minimum fine is £20 million!!! So they clearly aren’t talking about the average hairdressing salon :)
Everything I’ve looked at and everything my common sense brain tells me is that it will work much like health and safety - you may get an investigation for some reason at some time in the future - If you have taken absolutely no notice of GDPR then they aren’t going to be very happy with you obviously - however, assuming that you have made the most relevant and important changes needed but may have missed something, then I’m pretty sure that you will get a slipped wrist and told what needs to change and by when - can you imagine if the first step was to levy a fine! We would be taking to the streets!!
So, once again, this is not an excuse to ignore GDPR or the deadline, but simply to just calm down - I’ve seen seminars being advertised to be GDPR compliant and some people paying an outside source a lot of money to help - this is nuts - most of the data we hold is in your software system and you can be sure that they will be GDPR ready.
Let’s look at what data a salon collects. It’s actually very simple - we aren’t using algorithms, data mining, secondary marketing or asking for sensitive personal information etc. which is why you need to ignore all the scaremongering going on - it’s simply not relevant to us.
We hold specific client details that are relevant.
Any other data we might have collected in the past is not relevant to the services we offer. If you wish to know your client’s birthday, for example, one could question why you need to know that? However, if you can answer that question, it would then become relevant. If you give a discount or gift on their birthday - then you have a reason for knowing their birthday.
It’s pretty obvious really - just look at all the data you collect and if there is anything that you can’t say is relevant - stop collecting it!
So, quite simply everyone has to opt-in and give agreement for you to collect their data. The old days of websites etc. having an ‘opt-out’ (a tick box saying please DON”T send me stuff) will change to an ‘opt-in’ “please send me”.
The first 'opt-in' is to agree to the use of the information for operational purposes - booking info etc. with a second one to agree to the use of the data for marketing.
Finally, if there is certain information that is perceived to be critical to the service you offer for operational or health & safety reasons you don’t have to have an opt-in - however once again it can only be used for its original purpose.
So we need someones name for a booking (operational) - it would be ridiculous to get consent for that, or we need to keep a record of someone's patch test or allergy information (safety).
Marketing can be quite vague of course, you don’t have to get permission for every email etc.
BTW - if you are thinking this is all pretty straightforward - it is! Most of it is happening anyway - the big change is that it’s now an opt ‘in’ rather than ‘out’ and the permission is specific.
Think of how you would like the companies you deal with to use your personal data and then make sure you are operating the same way - you won’t go too far wrong.
‘The right to be forgotten’ is simply that there should be a clear and simple process to request to be unsubscribed and/or any data being held on them to be destroyed. If you look at the example I showed you earlier you can see this in their terms and conditions. Make sure there is an option to unsubscribe in the footer of every email/text.
‘The right to see what data is being held’ is simply that there should be a clear and simple process to request you to provide details of any data you hold for that person - you have 30 days to comply with that request. Please note this applies (as it all does) to your employees. Any individual that you hold data on comes under GDPR.
Again, don’t panic - look at the type of data we have on our team - who is seriously going to say that their employer can’t have that data for the reasons it’s needed. Now if you were passing their details on to a 3rd party without their permission etc well, of course, that’s different - but who’s doing that?!
However, please be aware that your team can legally request to access to whatever data you have. As has been the case for a long time BTW! (So be a bit careful what you write in employee records!!)
‘Data should be kept for no longer than is necessary’ In other words - the data should only be kept as long as needed.
This one is very vague - how long is too long? Well, the average period during which someone may re-purchase or purchase a new product or service from the same company is 50 months (that’s a general business stat, not an industry figure). Therefore one could argue that it’s ok for you to send marketing emails (assuming opt-in of course) for 50 months on the understanding that someone could still purchase from you.
Basically, if you keep your database clean - you should be doing this anyway with a marketing ‘we’ve missed you’ incentive if a client hasn’t returned within a specific period of time - then you shouldn’t have to worry about this one.
Your software provider, merchant service provider and the bank have the responsibility for most of this, however, if you are keeping data anywhere other than a legitimate outside party (CRM databases, Mailchimp etc) then you must ensure that you have taken relevant safety measures to keep that data safe from everyone! Not just hackers, other employees or even other customers (has someone's record been left open on the computer for all to see etc.) But once again - no panic - surely you are currently respecting this - if not, well now is the time to get your act together.
I would suggest that you look into something like LastPass - a strong secure way to keep passwords safe. Let’s say that you keep data in the cloud on google docs or iCloud. If someone hacks your email because your password isn’t strong enough then they now have access to that data! Of course in this day and age, you can’t be expected to guard against people who can hack into the FBI!… but you have to show you haven’t been negligent. Think about it like insurance - you won’t get far claiming for a laptop stolen from your car if you left it on the seat with the window open!
We love helping people to become more successful in all areas of their lives and we have a variety of ways of doing this. If you'd like to get to know us better and access our huge knowledge bank for free - we've created a cracking blog, packed full of really brilliant, thought provoking and inspiring content. Plus, be the first to hear about our very exciting upcoming plans and occasional offers. Just sign up below to access :)
We promise we will protect and guard your data as if it was our own. We also hate spam! - So we will be very selective with the content that we send to you - quality, not quantity!
Please enter your details below to access our fantastic blog - plus be the first to hear about our very exciting upcoming plans and occasional offers.