GDPR UPDATE: Don’t ignore your letter from the ICO (Information Commissioner’s Office)

Your hair or beauty business may have received a letter from the (ICO) Information Commissioner’s Office within the past few weeks.

The letter is about GDPR and is a reminder to businesses that they may have to register with the ICO and pay a data protection fee. Letters are being sent to the registered office addresses of limited companies which in some cases may not be the salon, barbershop or clinic address.

The Information Commissioner’s Office (ICO) is the UK regulator for data protection. By law, under the Data Protection (Charges and Information) Regulations 2018, organisations that handle personal information electronically, such as people’s names and addresses, must register with the ICO and pay the annual data protection fee, unless they qualify for an exemption.

The need to pay the fee is determined by how your organisation uses personal information for work purposes. For example, if you store personal information on a computer or phone you must check whether you need to pay the data protection fee. If you use CCTV or dashcams, you  likely to need to pay.

For those with 10 or fewer employees, the fee is currently £40 per year. It’s important to pay if you need to, to avoid a fine.

To pay or check if you’re exempt, you can use the ICO’s online self-assessment: ico.org.uk/fee-checker. It will guide you through some questions about how your organisation uses data to determine whether you need to pay. 

This blog post covers:

• Most salons and barbershops won't have to register
• Operating CCTV or carrying out credit checks? You must register
• Check if you need to register
• FAQs
• Penalties for non-payment
• Checklist

Find out more about what to do on the ICO website

Check if you need to register 

You may need to register and pay the fee if you operate CCTV inside or outside your premises. 

In addition, you may have to register if, for example:

• You are running your business as a franchisee.
• You are based in a hotel or spa.
• You carry out credit checks on clients. 

Training provider organisations must always register and pay the data protection fee.

You can use the ICO’s self-assessment checker to help you decide if you need to register or not.

If you have any questions, contact the ICO for help.

FAQs 

I haven’t received or can't find a letter, what do I do? 

You will likely only receive a letter if you are a limited company and are not already registered with the ICO. You may not have received a letter if you are a sole trader or a partnership, but you may still need to register. If you are in any doubt, contact the ICO for help.  

You can speak to the ICO fees team via live chat on their website, or call their fees helpline on 0303 123 1113.

I hold client data on a computer, do I have to pay? 

You are not usually required to register just because you hold client details on a computer, including skin test results or some medical information. 

I take payments by card, do I have to pay?

You are not required to register just because you take card payments.

However, if you provide credit facilities and do credit checks on clients then you will likely have to register and pay the data protection fee. 

Do I have to pay if I have a website? 

You do not have to pay if you have a website that advertises only your own business and products.  

Do I have to register because I write client information down? 

Keeping a written record of your client’s contact information so that you can remind them about appointments or let them know you have a special offer does not mean you have to pay a data protection fee.

Do chair, space and room renters/mobile practitioners have to pay? 

Chair/space/room renters or mobile practitioners would not usually be required to register even if they hold client contact, appointment and treatment details on a computer.

Do I have to register because as I have the client's skin test results/medical information?

If you only hold medical information such as skin test results to allow you to provide a non-medical service for your clients, such as colouring/ waxing etc, you will not automatically have to register and pay the data protection fee.  

What if I use an online booking system where data is stored on the cloud, not on the business’s computer? 

You will not be required to pay because you use an online booking system even if the data is stored on the cloud and not on the business’s computer.

What data can I hold without having to pay the fee?  

• Staff administration details including any training records for your staff.
• Client mailing lists – you may use these to advise clients of any promotions or special offers etc. This is classed as advertising, marketing and public relations for your goods and services.
• Clients' names, addresses, ages, birthdays, medical information and allergies. 

Penalties for non-payment

If your business does have to pay the data protection fee and you fail to do so, you may be fined up to £4,000.

Checklist

• Don't ignore your letter from the ICO.
• You must respond - even if you don't have to pay the data protection fee.
• Most salons, barbershops and clinics will not have to pay.
• You will likely have to pay if you operate CCTV and in some other circumstances.
• If you are in any doubt,  please check with the ICO.

You can speak to the ICO fees team via live chat on their website, or call their fees helpline on 0303 123 1113.