The European Uniion’s General Data Protection Regulation (GDPR) came into effect on the 25th of May this year, but businesses have a year to meet all obligations. Depending on your current organizational structure, modifications to the way you currently manage data may be minimal. However, even very small European spas need to be fully prepared as fines for non-compliance can be as high as 4% of your annual gross income from the previous year. Ouch!
A lot of spas and other service focused business do not realize that GDPR is applicable to them. In fact, it was recently brought to my attention that BISA must be in conformance as so many of our students are from EU countries. Similarly colleagues in the UK thought they were exempt when in indeed they are not as they are still part of the EU. Even after Brexit the government is likely to introduce a very similar set of regulations, so business adjustments will have to be made anyway. Furthermore, compliance will still be necessary to trade with companies within EU member states. So get it right now should be your strategy.
Other misconceptions are abundant, especially in the spa sector. For example, some spas believe that because they follow HIPAA rules about health care data that they are already in compliance. This is not the case as GDPR covers all data. Also just because there is a record keeping exemption for companies with less than 250 employees, does not mean that you are not responsible for implementing other aspects of the GDPR.
The GDPR can definitely be perplexing at first. Just identifying whether your spa is a ‘’controller’’ or a ‘’processor’’ of data, or both can lead to confusion. According to the GDPR portal, “a controller is the entity that determines the purposes, conditions and means of the processing of personal data, while the processor is an entity which processes personal data on behalf of the controller.” Different rules apply to each, but both can be held liable if there is a data breach.
If your spa is part of a large hotel, resort, casino or medical establishment, it is probable that they are addressing all the issues on behalf of the entire company, thus taking the headaches away from you as a spa manager or owner. However, if you are a stand-alone spa then it is up to you learn exactly how to be in conformance or else risk a hefty financial penalty.
- Consent:Customers must now give explicit consent to use their data for any purpose. “Implied” or implicit consent is not enough. Nor is lack of objection. Consent must be unambiguous and not drowned in “legalese’, nor buried deep inside the small print of your terms and conditions. Neither can it be part of a mandatory tick-box that must be clicked on before a product is purchased.
- The Right To Erasure / Be forgotten:Under the GDPR, companies are required to erase personal data if the subject requests it. Even if consent is given initially, it can still be revoked.
- Breach Notification:In the event of a data breach, a controller is required to notify all affected subjects within 72 hours of detection. Relevant regulatory authorities must also be contacted.
- Data Subject Access Request:EU residents (data subjects) have the right to request access to review all personal information data gathered by companies.
So, if you have not yet started to comply now is the time to read up and take action. It may seem daunting at first, but there are many free resources to guide you or you can hire a consultant with expertise in this area. A good starting point is the official GDPR website, which includes an easy to understand infographic that is suitable to explain these new protocols to your staff as updating SOPS, training manuals and marketing materials are all critical ways to demonstrate compliance.
No doubt, these updated data protection regulations place a heavy burden on spas, but your customers will reward you with loyalty by clearly demonstrating that their personal, and sometimes sensitive, information, will not be abused in any way.
By Penny Ellis
President / Director
Bali International Spa Academy