Since the 25th May 2018, the EU General Data Protection Regulation (GDPR) has become effective across all European Union member states. The GDPR is the biggest reform in data protection legislation in the past 20 years, and creates new responsibilities for how businesses (like you) and data processors (like us) handle personal data. If your company is based in the EU, or if you store data of EU citizens, you’ve no doubt been curious about how GDPR affects your business.
Fresha has always maintained a policy of respect for our user’s data – our user’s data is our user’s data, and we do not sell customer data to any third parties.
With this new regulation, we at Fresha have been moving towards making sure our user’s data is secure, and we have adopted numerous policies towards ensuring our compliance with the requirements of GDPR.
Overview of GDPR
The GDPR is the biggest reform in data protection regulation since the 1995 Data Protection Directive. GDPR affects any business that is either based in the European Union or that stores data of EU citizens, and grants EU citizens certain rights regarding how their data is stored and handled. The requirements of GDPR that affect our users the most are:
- Right of consent: Businesses have an obligation to make sure customers understand how their data is stored and processed before capturing it
- Right of access: Customers must be able to request what data is being stored and with whom their data is shared, and receive a response within 30 days
- Right of rectification: Customers must be able to request that incorrectly stored data is corrected within 30 days
- Right of erasure: Customers must be able to request that their personal data be removed (“pseudonymized”) from the record of a business within 30 days
What Fresha has done to become GDPR Compliant
In order to fulfill the obligations of GDPR and ensure our users in the EU may continue to use our system, we have taken many steps towards ensuring we are fully compliant. Some steps we have undertaken include:
- We have reviewed our relationships with our suppliers and third-party technology vendors to ensure their compliance with GDPR
- We have mapped out all points of how data is captured, stored, and processed within our organization
- We have reviewed our internal policies for data access and processing, including tightening who in our organization can access data and under what circumstances.
- We have implemented new product features to ensure compliance with GDPR and enable our merchants to respond to requests for data access, rectification, or erasure.
Where Your Data is Stored
Here at Fresha, we are hard at work to make sure our hosting providers and other cloud service providers are themselves GDPR compliant. All data of EU citizens on Fresha is stored in either:
- the European Economic Area; or
- in a country which the European Commission has determined provides an adequate level or protection (including via Privacy Shield agreements); or
- to service providers who have an agreement with us compliant with the Model Contract Clauses (as defined by the European Union)
What More You Can Do
Since GDPR is such a major and comprehensive regulation, the good news is that there are plenty of additional resources online that can help you better understand how GDPR affects your business. We recommend you research appropriate guideline documents and consult with a lawyer or advisor as you deem appropriate for your business.
Although Fresha has taken all possible steps to ensure we are fully GDPR compliant, this does not automatically make your business compliant by default. For example, if an employee accesses your client data and sends an SMS to all clients regarding his new Instagram page, this becomes a breach of data privacy. Businesses should have processes to make sure that does not happen.
As a business owner, here are some additional steps you can take to become GDPR compliant:
- Contact any suppliers or other technology companies you work with that handle your customer’s data, and make sure they are or are taking steps towards becoming GDPR compliant
- Review permission levels of each of your staff members on Fresha, and make sure that customer data is accessible only as necessary
- Inform your staff about the upcoming regulation. An overarching theme of GDPR is that customer data can only be used to the minimum amount necessary, so make sure your staff do not use customer data inappropriately
- Carry out a review of how you are currently handling personal customer data, and note down what changes will need to be made in order to comply with the new standards
- Understand where customer data is stored in the system, and be ready to respond to requests for data access or rectification
- Keep record of the steps you have taken towards meeting GDPR requirements, and make sure you share processes with your users in writing
If you have further questions about GDPR, we advise you to reach out to a lawyer or a regulatory compliance consultant to review your processes and see what else needs to be done for GDPR compliance.