Secure payment with Ideal, PayPal, Creditcard and Mr Cash
Ordered before 16:00, shipped the same day
The GDP Regulation will come into effect on 25 May. You’ve probably heard about it already, but now the clock is really ticking. GDP stands for General Data Protection Regulation: a new European privacy law that will replace the current Personal Data Protection Act. All businesses, including all salons, will have to comply with the GDPR. It’s time to take measures, because you are obliged to comply with all rules set by the GDPR by 25 May. To put it simply: know which personal/customer information you have access to in your salon and be extremely careful with it. Make sure that nobody else can access the data, leave nothing lying around, and make sure that your computer and website are secured properly. We can’t go into detail about the GDPR, but we’ll gladly help you by sharing some useful information and tips.
Just like the current Personal Data Protection Act, the GDPR is intended to optimise personal data protection, including customer information and any personal information. Personal information can include a name or a date of birth, as well as other personally identifiable information, such as a post code and house number. The key rule is: you may only possess information that is essential for you to do your job! For example, you won’t be allowed to save information about a customer’s age (to send them a birthday card, for instance) after 25 May, unless you have been given permission to save this information by the customer.
The government (Dutch Data Protection Authority) has said that there will be strict inspections, but nobody knows if that will really happen. At any rate, the fines will be (very) high. Lawyers (who know a lot about the GDPR) say that you have a smaller chance of being find if you can show that you take personal data protection and the GDPR seriously. One way you can do this is by mentioning it on your website. Here are some general and more specific tips for your website:
1) You must have an overview of all personal information in your possession. The GDPR calls this a (processing) register. If your records are inspected, or if a customer asks for it, you must be able to show which data you have, why you have them, what you’re going to do with them, and how long you will keep them for. You can make note of all of this in the register.
2) The GDPR prescribes that all companies must clearly record their procedures. Create a “data document” and specify where you have stored the information in your possession. How did you secure the information and how will you respond to a data leak? You can make note of the fact that you’ll report any data leak to the Dutch Data Protection Authority straight away, for example, or how you’ll deal with customers who want to view their information or who want to have it deleted. In case of an inspection, you are obliged to produce such a document immediately. If you do not have the document in question, you’ll be in violation of the law. If you do have the document, you’ll show that you take the GDPR as seriously as it deserves to be taken.
3) Make sure you have a privacy statement: In your privacy statement, you can claim that you need information to be able to do your work; Explain which data you need and what you’ll do with them. If you have a privacy statement on your website, you’ll show that you know that protecting personal information is an important matter. That’s why it’s smart to have your privacy statement feature prominently on your website, rather than hiding it! (Even though it’s not the best look for your website)
4) The registration form or contact form on your website may only ask customers for information that you really need. You must also explain why you need this information in clear detail. It’s also important that you have the person completing the form give you permission to have their information. Note: a simple checked box will suffice, but it must not be checked by default. The customers must have to check the box themselves.
5) Make sure your website is secure, especially if you have an online shop! The reasoning is fairly simple: if customers leave data behind on your website (Online shop > name> address> account number), these data can potentially be hacked. That’s what we call “data leaks”. It’s best to be careful in this matter. We recommend contacting the person who built your website and asking them to make the necessary changes: don’t just think that they’ll make the changes themselves. It’s your website, after all, so you’re responsible for security!
6) Do you use Google Analytics to track visitors to your website? Make sure to set it up so that all visitor information is anonymous. It’s best to find a capable advisor to consult with on this matter!
7) Speaking of Google: try searching for GDPR on Google and you’ll find a whole lot of checklists. Have a look through them and check whether there’s anything you still need to change. You can also contact a lawyer. It might not be cheap, but you’ll be sure that your business and your website will be thoroughly checked.
The GDPR is a tricky, boring piece of regulation that everyone has to comply with, including Lash eXtend and your salon! We hope that we’ve been able to help you on your way. Unfortunately, we also have to say that these tips are simply meant to help you, they’re not a legally valid, official document. It is your responsibility to comply with all the rules set by the GDPR. We wish you the best of luck!