Protect the data, but don't forget to protect yourself!

What is the GDPR?

The GDPR (General Data Protection Regulation)  is a new EU regulation aimed at helping to strengthen data protection for those within the EU and is applicable to both EU residents and international companies dealing with them. Essentially this regulation forces businesses to take extreme care with any personal information they collect. Failure to do this can result in some pretty hefty fines!

Anyone who collects and processes personal data whether it's in person or online will have to comply with the regulation.

 It's purpose 

The aim of the GDPR is to increase transparency of how personal details are kept, who has access to them and how long they will be kept for. Businesses must have provable explicit consent where required before they store any personal data and also gives users the right to ask to have their personal information removed from any database. 

Consequences of not complying

Non-compliance with the GDPR can result in a maximum fine of 20,000,000 Euros or up to 4% of your annual worldwide turnover, whichever is the greater.  Warnings, reprimands and lower fines may also be imposed by supervisory authorities depending on the severity of the breach.

When does it come into effect?

You will need to comply with the GDPR regulation by the time it comes into place on the 25th May 2018

What you need to do

You need to decide whether consent is appropriate for your business. It is only appropriate if you can offer your clients an actual choice over how you use their data. If their consent is a precondition of a service then consent may not be appropriate. Click here for more information regarding consent.


Update your privacy policy and make it clear why you are collecting this information, how it will be used, who has access to it and how long you will keep it for. The aim of the GDPR is transparency so let your clients know exactly what you will do with their information.

You will however need express consent for marketing purposes. You can add a section to the bottom of your consultation form and grab their signature so you can prove you had their consent. This must be an opt in option. If they do not give express permission for you to email them then you cannot do so.

Third party processors

If you implement email marketing or take payments you will likely use a third party data processor to process these things for you. For example, if you take payments via Paypal or you use Google Analytics on your website to track your traffic. These third parties keep personal information stored for you and so also bear the responsibility of keeping it safe. Most data processors are US based and should also be Privacy Shield compliant and working on GDPR compliance BUT be sure to check! Take a good look at their privacy policy and if you find that they do not comply you need to find another processor.

Protect yourself!


As a lash technician you will need to keep a record of your client's personal information and it is likely a requirement of your insurance that you keep that information for a period of 7 years. Within the UK the statute of limitations is 6 years and that means that any client you have can potentially make an injury claim against you within 6 years of an injury being discovered (not from when the alleged incident occurred). If you treat a minor then this extends to 6 years after they are 18.

This can obviously be problematic should a client ask you to destroy their information within those 7 years. You may need that information to defend yourself should they make a claim against you.

Fortunately there are provisions under the GDPR which allow you to keep your records and refuse the right to erasure to defend yourself in a claim situation. 


Click here for more information regarding your right to refuse your client's request for erasure.

Whilst the main aim of the GDPR is to gain explicit consent in most cases, consent is not always appropriate. If you have a legal obligation to keep their data and you would refuse them their request for erasure then it is unfair and misleading to ask for their consent.

To summarise

The GDPR can seem very daunting but it's important to realise that it's purpose is to protect all of us. The steps you may need to take can depend on your type of business and how you interact with your customers. There may be instances where you do not require explicit consent.



Here is a brief summary of what you need to do to comply.

  • Update or implement a privacy policy

  • Make it clear what information is collected and why, who has access to it and how long it will be kept for

  • Inform your clients how they can request that their information is erased (if you will erase it should they ask)

  • Get explicit consent on your consultation forms for information to be kept and for any future marketing they may receive

  • Get consent for their images to be used on social media

  • Check that any third party processors that you use also comply with the GDPR and direct your clients to their privacy policies

The above information regarding your responsibilities under GDPR is not exhaustive. For more information regarding the GDPR please visit the Information Commissioners Office for more detailed information. They also have a helpline for small businesses and try this interactive guidance tool to see whether you require consent.