Is Your Salon GDPR Compliant? How to Keep Your Clients Data Safe

Hair and beauty salons have experienced a boom in the last decade in a way they have never seen before. In 2018, almost 500 new beauty salons opened their doors, and this trend shows no signs of slowing, even in the wake of COVID-19.

This means that more and more people are moving into the industry and setting up brand new businesses to capitalise on the growing market that is available to them.

Blog Contents:

Is your Salon GDPR compliant?

As a salon complying with GDPR, in order to use and store the data of your clients, whether this be their name, address or contact information, you must have full consent from the client to do so. Additionally, you must also have clear proof of their consent, which must also be stored safely.

Those who are branching into the salon business for the first time will have plenty of things to consider. Not only will you need premises, products, and a workforce, but you will also need a raft of clients to keep your till ringing.

Whilst a new salon owner might think that the main education they need is in offering safe and effective treatments, they might be surprised to learn that there are many sides of the admin elements of a business that they need to get to grips with too, and none is bigger than the issue of GDPR.

What is GDPR?

GDPR stands for General Data Protection Regulation and it applies to all the personal data that you hold about your clients. Due to the detail needed on a client record card, this will not only include their name and address, but also details about their health allergies and medication.

As a business owner, you will be responsible for ensuring that all of your employees understand what their responsibilities are in relation to GDPR and that they are compliant at all times.

You will also need hold personal details about your staff, including their contact details, salary, next of kin, contracts, medical information and their qualifications.

This also falls under the GDPR regulations, and you will need to think just as carefully about how you store and use this data.

For new Salons

If you are setting up a new salon, then start off by carrying out an information audit. Make sure you know what information you will hold and whether it will be recorded on paper or electronically.

It is vital that you consider where you get the contact information from and whether permission has been given to use it. You will also need to think about who has access to this information, how they gain access to it and that they are aware how it can and cannot be used.

For existing Salons

If you are buying an existing business, you will need to check whether the salon can pass on the client details, and audit the information that they have on file already to make sure it is compliant.

What measures do you need to take for your salon?

Salon ChairThe first thing you need to consider is how to collect the data for your salon. If you use some form of salon software, you need to look at what data it records and how it is used.

That means not only do you need to think about storing those details, but how you use them for marketing and appointment reminders.

Most reputable software providers will have a good understanding of this and should have plenty of permission options within them.

They should also be able to give you clear advice about how the system works, what you should be doing and update their systems when needed.

How can you ensure your salons marketing is GDPR compliant?

As your salon may be in high competition with other businesses, you’ll want to make your business stand out with effective marketing strategies. If you send your clients appointment reminders, informative newsletters, promotional offers or even a birthday message, then the client must have agreed to receive these marketing messages. Also, on every email sent, there must be a clear and obvious way to unsubscribe and stop receiving future emails.

Clients must opt in to receive these updates, this can be completed either online by signing up to emails or in a verbal agreement stating they are happy to receive updates and marketing material.

Once a client opts out or unsubscribes, their information must be removed from your database to ensure your salon is staying GDPR compliant. Furthermore, contacting clients who have opted out not only breaks data protection rules, but also wastes marketing resources and could impact the reputation of your business.

Your salon may also have clients who are under 16 years old, under GDPR rules, you may need consent from a parent/guardian to keep and use their personal data and information. When storing a child’s information, it is best to keep this separate from other clients data, which may be used for different purposes.

Can a client request their data?

A client can request to see the data that you hold about them.

There should not be a charge for this, and it must be provided within a month of the request. They have the right to correct anything that needs it or even to delete it unless there is a good reason for you not to.

This may be because your insurers require you to hold certain information for a period of time in case a claim is made against you in the future.

If you use text or email to contact your clients, then there are some very strict rules that you need to comply with. This includes the existing Privacy and Electronic Communications Regulations (PECR) and the Telephone Preference Service.

Before you can send marketing messages, appointment reminders, newsletters or even a Christmas card, you must ensure that the client has explicitly opted in to receive this information.

You will also need to provide a publicly available privacy notice which clearly informs clients what date you collect, why you need it and how you use it. This will need to outline who the data is shared with, when and why it will be deleted and what it will not be used for. This could be located in your salon or on your website.

What areas should salons prioritise with GDPR?

Salons have many areas that they must be GDPR compliant in and this can cover salon software, data breaches and employee contracts.


Salons use software to record personal details, this data recorded will need to be reviewed to ensure it is complying with GDPR rules. This software may send automated messages on your behalf, checking that the correct people are receiving them and those who have opted out are no longer receiving them will reassure you that your business is GDPR compliant.

When selecting software for your salon, consider what information it wants to hold and how it will be used. This is good to know and gives you confidence that the information you provide, is used in a GDPR compliant way.

Furthermore, depending on the software provider, they may provide help and guidance on remaining GDPR compliant.

Data breaches

We have all heard about big companies suffering from data breaches, but this can happen to any business. A data breach occurs when any of the personal data you hold is lost, shared, or altered without permission, either accidentally or on purpose.

If this happens, you need to record what has happened and contact the Information Commissioner’s Office (ICO) immediately. Some data breaches may seem very minor and unimportant but any failure to inform the ICO could result in significant fines.

Employee Contracts

Employee contracts contain sensitive information such as contact information, NI numbers and bank details. It is critical to ensure that these documents are kept secure and only accessed by those who have authority to do so. Employee information should not be shared with any other employee or any external stakeholder.

GDPR Penalties

Penalties for data breaches or failure to comply with GDPR laws can lead to a fine for your business. The EU GDPR sets a maximum fine of £18 million for any infringements, which shows how seriously you need to take this subject.

Not all violations will lead to fines though, as the ICO can also offer warnings, bans on data processing, ordering the restriction or deletion of data or suspending data transfers to third countries. GDPR is not one of the most exciting aspects of running a salon, but it is essential. It helps to keep your clients and employees safe and ensures their privacy.

Failure to comply with the rules can lead to hefty fines which could cost you your business, so you need to ensure you have a comprehensive understanding of what GDPR is and how it affects your business.

How do keep staff informed with GDPR

As GDPR is now a huge part of every business, ensuring that all salon staff are trained and comply with the rules is critical to prevent your business from being fined for non-compliance. Staff should be taught and shown the protocol for collecting data, storing data and protecting data from external threats.

For salon managers and salon owners, it is good practice to regularly check on GDPR rules as they could have changed or be changing soon, which may impact how compliant your business is. Furthermore, ensuring that clients who have opted out from being contacted are removed from your database is good practice as this could have been missed, if controlled manually.

Do you need help with personal documents?

If you feel your salon or beauty clinic could benefit from help and advice from an off-site storage facility, we can help! Save time and money in your salon with our range of document management services.

Feel free to get in touch with our team. We can explain in more details the service and benefits you would receive as well as the different types of documents you can store in our security facility.

Looking for something else? We can also provide other document management services including, document scanning and document shredding.