What does GDPR mean for you?

Connor Keppel, Head of Marketing at Phorest Salon Software, explains what the implementation of new data protection rules means for salon owners, therapists, hairdressers or mobile workers.

Connor Keppel, Head of Marketing at Phorest Salon Software
Connor Keppel, Head of Marketing at Phorest Salon Software

By 25th May 2018, it is going to be mandatory for your businesses to collect, house and protect your clients' personal data and information in a secure manner. The capability to provide a clear audit trail as to how data was collected will also be a requirement of the new General Data Protection Regulation (GDPR) regulations.

This is particularly interesting in the hair and beauty industry as salons collect so much personal data from their clients, ranging from simple contact details through to very sensitive medical records.

GDPR is more comprehensive than any other data-protection law. There are a few reasons why salon owners really should pay extra attention to it:


  • You can be fined up to 4% of revenue capped at 20 million euro (£18 million sterling) e.g. if your salon's turnover is €385,000 you could pay a fine of over €15,000.
  • Closer to the time, each country will be pushed by the EU to advertise in mainstream media, making people aware of their rights in terms of how businesses like your salon use their personal data. This will heighten consumer-awareness, and you need to protect your business by being able to answer clients' questions and prove you are handling their data in a secure and data compliant way.

For GDPR, your salon must prove it has a legal basis for collecting the client's personal information, i.e. you cannot collect personal information without reason or simply say it is  for marketing. Also, you must be able to:

  • Identify exactly what personal information you are collecting.
  • Give a legal reason for taking that information e.g. the reason for asking about allergies could be for performing patch tests.
  • Show that all of the processes you have for collecting data are GDPR compliant, e.g. if a client makes a complaint to a data protection agency in your country, you need to be able to prove how you collected, stored and used their data in detail.

For GDPR, your salon must prove it has a legal basis for collecting a client's personal information, i.e. you cannot collect personal information without reason or simply say it is for marketing.

You need a proactive approach to show you are data compliant, not just the ability to cover your tracks in case of a client's complaint or audit. In order to demonstrate compliance, you need documents such as a data protection policy and a data-handling procedures manual. This is required in the event of an audit. Most importantly, you must have a record of consent proving the client opted-in to give you the data.

As well as collection and storing of data, consent to receive marketing from your business is also a big part of GDPR. Previously, it was ok to have a check-box at the bottom on your website or consultation forms saying, ‘I want to receive marketing, offers and other updates from your salon'. With GDPR, this all has to change!

  • You are required on forms to clearly outline all processing of the collected data i.e. what exactly will the data be used for? One big vague statement with a checkbox is not acceptable.
  • You cannot pre-check boxes and ask clients to opt-out. They have to opt-in.
  • Clients must have the ability to request that all of their information is deleted.
  • You must have an audit trail of how the information was collected and that the client explicit opted-in.

Under GDPR legislation your clients will be entitled to request a SAR. A ‘SAR' is a ‘Subject Access Request', meaning you have to produce all information you hold on the client to that person free of charge within 30 days. Items covered in this would have to include (but not limited to):

  • All medical, contact etc. data you hold on the client.
  • Why you hold that information.
  • All activity and processing you are using it for.
  • People you have sent or shared the data with (if consent was provided).
  • How you collected the data.
  • Copy of the consent provided from that client > How long you have held it for, and how long you intend to keep it.

If you are using pen and paper and maybe an online email tool for example, it will be virtually impossible to provide all of the data above. Also, how do you delete a client's details from pen and paper if you have multiple entries in different diaries? This is the perfect example of why you need a GDPR-compliant salon software.

Phorest Salon Software is Europe's first fully GDPR compliant Salon Software and provides the industry's first fully digital, compliant consultation forms meaning that all client details are recorded in a traceable way as per GDPR regulations. In terms of salon marketing, Phorest provides filters and tools to create marketing campaigns using email, social media and SMS and ensures all salon contacts are correctly opted-in and won't get salon owners into trouble when clients request a copy of their consent. All data stored on Phorest Salon Software is fully encrypted meaning that clients' data is protected at all times. To learn more about GDPR and find out how you can protect your salon, visit: www.salonGDPR.com

Connor Keppel is Head of Marketing at Phorest Salon Software, the number one provider of salon software that helps salons in the UK, Ireland, USA, Finland, Germany grow their businesses through cutting-edge retention marketing tools.