Fresha has always maintained a policy of respect for our client’s data. Our client’s data is their own and we do not sell customer data to any third parties.
With this new regulation in place, we’ve been working on making sure our client’s data is secure and have adopted a number of policies to ensure we are 100% GDPR compliant.
What is GDPR?
GDPR is the biggest reform in data protection regulation since the 1995 Data Protection Directive. GDPR affects any business that is either based in the European Union or stores data of EU citizens, and grants EU citizens certain rights regarding how their data is handled and stored. The requirements of GDPR that affect our users the most are:
- Right of consent: Businesses have an obligation to make sure clients understand how their data is stored and processed before capturing it.
- Right of access: Clients must be able to request what data is being stored and with who their data is shared, and receive a response within 30 days.
- Right of rectification: Clients must be able to request that incorrectly stored data is corrected within 30 days.
- Right of erasure: Clients must be able to request that their personal data be removed (“pseudonymised”) from the record of a business within 30 days.
What has Fresha done to become GDPR compliant?
In order to fulfill the obligations of GDPR and ensure our users in the EU can continue to use our system, we have taken many steps towards ensuring we are fully compliant. Some steps we have undertaken include:
- Reviewing our relationships with our suppliers and third-party technology vendors to ensure their compliance with GDPR.
- Mapping out all points of how data is captured, processed, and stored within our organisation.
- Reviewing our internal policies for data access and processing, including new restrictions on who in our organisation can access data and under what circumstances.
- Implementing new product features to ensure compliance with GDPR and enabling our merchants to respond to requests for data access, rectification, or erasure.
Where is your data stored?
Here at Fresha, we have been working to ensure our hosting providers and other cloud service providers are themselves GDPR compliant. All data of EU citizens on Fresha is stored in either:
- the European Economic Area; or
- in a country which the European Commission has determined provides an adequate level of protection (including via Privacy Shield agreements); or
- to service providers who have an agreement with us compliant with the Model Contract Clauses (as defined by the European Union).
What else do I need to know?
There are plenty of additional resources that can help you better understand how GDPR affects your business. We recommend researching appropriate guideline documents and consulting with a lawyer or advisor if you deem appropriate for your business.
Although Fresha has taken all possible steps to ensure we are fully GDPR compliant, this does not automatically make your business compliant by default. For example, if an employee accesses your client data and sends a text message to all clients regarding his new Instagram page, this becomes a breach of data privacy. Businesses should have processes in place to make sure that doesn’t happen.
As a business owner, here are some additional steps you can take to become GDPR compliant:
- Contact any suppliers or other technology companies that handle your client’s data and make sure they are taking or have taken steps towards becoming GDPR compliant.
- Review permission levels of each of your staff members on Fresha, and make sure that customer data is only accessible where necessary.
- Let your staff know about the upcoming regulation. An overarching theme of GDPR is that client data can only be used to the minimum amount necessary, so make sure your staff doesn’t use client data inappropriately.
- Carry out a review of how you are currently handling personal client data, and note down what changes will need to be made in order to comply with the new standards.
- Understand where client data is stored in the system, and be ready to respond to requests for data access or rectification.
- Keep a record of the steps you have taken towards meeting GDPR requirements, and make sure you share these processes with your clients in writing.
If you have further questions about GDPR, we recommend reaching out to a lawyer or a regulatory compliance consultant to review your processes and see what else needs to be done for GDPR compliance.