GDPR 101: Essential Data & Client Privacy Tips for Your Salon Business with Robyn Banks

Robyn Banks: 00:00:02

Please note that this transcript is created using AI and as such may contain errors and omissions - check against the recording if using for any publication purposes.

Welcome to Inspiring Salon Professionals, the podcast that allows every therapist, now tech and stylist, to level up, build their career and reach for their dreams.

Each episode we'll be looking at a different area of the industry and along the way I'll be chatting with salon owners, industry leaders and experts who will be sharing their stories on how they achieved their goals, made their successes, all to inspire you in your business and career. I'm Sue Davies, your host, award winning salon owner and industry professional. Welcome to to Inspiring Salon Professionals.

Welcome to this episode of Inspiring Salon Professionals.

And today we're going to be covering a topic that affects every business but can feel like a bit of a legal minefield and that is data protection and UK GDPR compliance. Now, anyone that's been in industry for a little while and has had their own business for a little while will know that GDPR regulations changed.

ut I think it changed back in: 2018

A lot of build up to it and then actually wasn't as bad as we thought it was going to be. But there's still a lot of questions over compliance.

So as salon professionals we do handle client information on a daily basis, from appointment bookings to our medical history forms. But we really, really need to understand that we are truly protecting that data in the way law requires.

So today my guest is Robin Banks, founder of Atavista, a specialist consultancy that helps businesses navigate data protection laws with confidence. Because that's the key thing here, is making sure you're confident.

de the author of the original: 1980

Now she helps businesses across the world ensure compliance with the UK GDPR and international data laws while making the process of far less intimidating wherever she can.

So we're going to be covering everything from ICO registration and privacy notices through to how salons should handle client data and even some of the tricky industry specific challenges that come up with data sharing and portability. And data portability is something we are going to look about and we'll be explaining in the episode. So anyway, that's that for now.

A quick intro for Robin and I'm going to hop over and have a chat with her and I'll see you on the other side. Are you a solo beauty professional struggling to juggle everything from the endless Client organizing, no shows, double bookings.

Or maybe find the thought of a website and building and maintaining it a little overwhelming. If this sounds familiar, there's a solution built just for you, Jenna.

Jenna is an all in one app designed to make life easier for solo beauty pros just like you and me. It takes care of your bookings, payments and even builds a professional website for you. And best of all, no tech skills needed.

No more client late night messaging, hidden fees or constant stress. If you're ready to simplify your business and get your time back, check out Jenna today.

Find the link in the show notes and see how Jenna can transform the way you work. Hello, Robin. I've just introduced you. So you are Robin Banks. And I know, I do love your name. I know when we've been on networking together and it is.

And I just love like your little. What is, what is your little phrase that you always say?

Speaker B: 00:03:28

Not what I do for a living.

Robyn Banks: 00:03:30

Yeah, that's it. Because it's just brilliant. I just bought a name. Yeah. Unforgettable. Really.

Speaker B: 00:03:37

Yeah. If the person's not enough, then the name will do it.

Robyn Banks: 00:03:41

It's personal branding for you at like absolute, like a high level, isn't it? Because it's like no one is ever going to forget your name.

So we are here today to talk about the really, really exciting subject of data protection and compliance, which is it is probably one of the dry subjects really, next to like health and safety. It's because it's all black and white, isn't it? It's all text, it's like huge laws.

And as salon professionals, salon owners, sitting, wading through an act or a law is like, is a law.

And trying to have that broken down into something that we understand just as regular human beings trying to understand the Date Protection act is a lot.

So I wanted to invite you on today because I see through so many of the forums at different points, people having problems with just generally understanding what they need to do and what their responsibilities are. So the basics, data protection laws apply to every UK business.

he year right, I think it was: 2018

Was it: 2018

Speaker B: 00:05:05

Yes, yes. That was D Day or DP Day.

Robyn Banks: 00:05:09

Yeah, just like honestly, that day I was saying it was like it was so stressful leading up to that. But if you weren't, if you weren't in business then, and you've come in after you, aren't you? So you've come into something that's already existing.

So if you, and if you aren't made aware of it when you start your business, you're going to never know it's there, are you? It's one of those like you don't know what you don't knows exactly.

Speaker B: 00:05:31

And not until it comes and bites you on the backside, basically. So my job is to stop that happening. That's what I do. And I've been doing it for 20 years because we had legislation before this.

our first legislation was in: 1984

Robyn Banks: 00:05:43

Yep.

Speaker B: 00:05:44

was the Data Protection Act,: 1984

Robyn Banks: 00:05:50

Oh, okay. Did we even have electronic data then? I suppose we did, didn't we?

Speaker B: 00:05:54

Start of it was the start. Basically it started to come around. So yeah, but that would then be anything that we were doing on computers.

So yeah, people were starting to use Windows 3.

Robyn Banks: 00:06:03

d our first fax machine about: 1984

Speaker B: 00:06:08

There you go. That's electronic processing. That's electronic processing.

So then we had the: 1998

That came in gradually and I was working in the Foreign Office at the time and I was helping them with implementation and I was working with the guy who wrote that to make sure we could do implementation. So that's, that's where my background comes from. I'm not legal based, I'm government based. But then I came out of there because I was being bullied.

So I thought okay, well I've got all this knowledge of how we can make this work in place, so I'll go and put this in place. And that's what I've been doing ever since.

So in: 2016

Robyn Banks: 00:07:27

Okay.

Speaker B: 00:07:28

So that's. That gets that out of the way. But they, we then said that's fine for Europe. You can have those 3,000 pages.

We're only going to implement a thousand pages of it and we're only going to implement the bits that actually mean we don't have to change much.

Robyn Banks: 00:07:43

That doesn't. That sounds like a UK government, doesn't it?

Speaker B: 00:07:46

Yeah. Made my life so much easier. I haven't got to relearn a whole load of new stuff. Fantastic.

Now, if you go on the Information Commissioners website, there is pages and pages, I mean, reams and reams and reams of guidance of how we expected to do that. All of that is tucked away in here.

Robyn Banks: 00:08:03

Yeah.

Speaker B: 00:08:04

In the filing cabinet.

Robyn Banks: 00:08:05

It's like a little Rolodex in your head, isn't it? I mean.

Speaker B: 00:08:08

Yep. So it's all. And it's. You can tell I'm not even looking at notes, it's just coming, so.

And because it applies every day in every way to everything we know, it applies to business. So it's anything that you use in business.

th of May: 2018

Before that, it was a living individual and we had all sorts of problems with cats and dogs and parrots and monkeys. You name it, we had a problem with it. So they decided that that would go away and we would just have natural person.

Interestingly, there's no definition of what a natural person is in the legislation, so that leads up to our imagination. But that's what it says. And the reason I specified about and really emphasised the word indirectly is because you can have a piece of.

You can have a paragraph information without actually mentioning somebody's name, but you still know who it's about.

Robyn Banks: 00:09:15

All right, okay. Yeah, indeed.

Speaker B: 00:09:17

So if you have that, that's still personal data.

Robyn Banks: 00:09:20

Yeah.

Speaker B: 00:09:21

If it's an expression of opinion about that person, it's still personal data because it relates indirectly to that person.

Robyn Banks: 00:09:28

Okay, all right.

Speaker B: 00:09:30

So if. So we were talking before and you were saying about. You might, in the industry, you might make notes on somebody's records that you've got.

That is your expression of opinion that their personal data that you're expressing about them.

Robyn Banks: 00:09:43

Yeah. Okay, so put that into. Into context.

So if, if client A comes into you and they tell you, and I'm going to use diabetes as an example, because it's been a thread I was looking at this morning, they had diabetes, you make notes saying that you've had to refuse treatment on these grounds because, you know, whatever they want a Pedicure and they've got like that neuropathy in their feet. They can't feel their feet, so you had to turn them down. So you'll make a note on your documents saying that client A was refused treatment.

I've explained they can't have a treatment because of X, Y and Z and referred them to a healthcare practitioner to have that service done. Now, that client may not agree with what you've said and they may come back and challenge you.

So they would then have rights to see what you've written about them because it's an indirect comment.

Speaker B: 00:10:31

Yes. So one of the major rights we have as individuals under this legislation is to make a request. It's called a subject access request.

You are the data subject, you're the person the data is about. So client A is the data subject in this case? Yes.

We use this scenario that you've just done and, yeah, they're not happy that you have refused some treatment. So they have the right to come and say to you, I want to see everything that you hold on me.

Robyn Banks: 00:10:54

Yeah.

Speaker B: 00:10:55

And that is a data protection subject access request. You have one month, calendar month, to which to reply. You don't just photocopy everything, you've got to send to them. Right. This is very important.

You don't have to just photocopy everything and send it to them. You can ask them if they're looking for something specific.

Robyn Banks: 00:11:15

Yeah.

Speaker B: 00:11:16

But you're not allowed to hold it against them. So you can't just turn around and say, no, you can't have that. You have to have a justifiable reason. If you're not going to give it to them.

Robyn Banks: 00:11:24

Yeah.

Speaker B: 00:11:24

If you have explained it to them in that way, there's no reason why they shouldn't have that piece of paper.

Robyn Banks: 00:11:29

Yeah.

Speaker B: 00:11:29

So then I probably would photocopy and give it to them.

Robyn Banks: 00:11:33

, actually late: 1988

And I come in and we suddenly had a big directive to stop writing negative notes about customers. So I've had it drilled into me for a really long time. And you don't ever do that.

Speaker B: 00:11:59

Yes, because now that's for another reason. That's for a different reason. Okay. So if client A gets that piece of paper and doesn't like what you've written, they can't actually take any action.

Against you. Because as long as you have set it out in a matter of fact kind of way.

Robyn Banks: 00:12:16

Yeah.

Speaker B: 00:12:16

If there is any comment in there that can't be justified and they find it offensive, then they can sue you for that, for unlimited compensation. So it's not about not saying no, it's about saying no in such a way that you can back it up.

Robyn Banks: 00:12:32

Yeah. And it isn't about documenting it and documenting it in a professional way.

Speaker B: 00:12:38

Professional way. That's. That's all you have to do is just bear in mind that that's what you have to do because they can come back to you and they have.

We have the legal right to do that.

Robyn Banks: 00:12:46

Yeah.

Speaker B: 00:12:46

I haven't actually, in 20 years come across any case where that's actually gone to court.

Robyn Banks: 00:12:53

Yeah. Because I think people. People probably wouldn't, would they?

Speaker B: 00:12:57

Oh, you'd be surprised.

Robyn Banks: 00:12:58

Well, I'm sure. Yeah. Maybe. Yeah.

Speaker B: 00:13:04

Because they thought that they didn't have to worry about. Because people would never see it wrong. So, yeah, it's.

Robyn Banks: 00:13:13

So we sort of slightly digressed a bit there, but very, but very useful things like that. We digressed.

Speaker B: 00:13:18

The thing is, it's, it's not. This is not a linear subject. A does not lead to B. So this is why I brought that in there.

Robyn Banks: 00:13:25

Yeah.

Speaker B: 00:13:26

So that's what you have to remember when you're doing that kind of thing. Because under the law, we have this right of access.

So that is something that we have to bear in mind when we are filling out forms and putting information about people on. So don't write custom. Client A was a right grumpy old cow because she could sue you for that. Right.

That she was definitely unhappy about what was what I, what I was trying to explain to her that that's perfectly legitimate. That's perfectly. And, and, and you know, everybody can see every right to record that.

Robyn Banks: 00:13:57

Yeah. And people are allowed to be miffed if we. Especially with something like that.

If we refuse service for something we know is a contraindication and could cause them harm. So we'd be doing the wrong thing because if we did do it and then something happened, then they'd sue us for malpractice kind of thing.

Speaker B: 00:14:12

So again, under this legislation, you're not allowed to do it because you're not allowed to do anything that might cause somebody harm.

Robyn Banks: 00:14:17

Yeah. This is it, isn't it? It's just. Yeah. So we have to. We. We have to be mindful of that. So before they get to.

Well, hopefully, if a client does come to them asking for like an sir. Then they're going to be registered with the ico, because one of the first ports of call would possibly for a client be.

I'm taking, I'm going to go to the Information Commissioner's office.

Speaker B: 00:14:39

They can go to the Information Commissioner's office, but they have to have done a request on you first and they have to then ask for a review first before the Information Commissioner will even look at it.

Robyn Banks: 00:14:48

So, so what do people need to do to register? And, and how soon after they start their businesses do they need to register?

Speaker B: 00:14:55

Right, so you have about six months leeway in setting up your business to get yourself established and stuff. And you need to do this regardless whether you are a sole trader, whether you're a limited company, partnership, whatever it might be.

You need to register with the ICO and you do it by going on the ICO's website. And in the top right hand corner it says pay. Either pay here or register here. Something like that. Off the top of my head because I keep changing it.

Don't accept the cookies. They've got a cookie bar, comes up and down on the right hand side. Don't accept, don't allow the cookies, just say, refuse those and then carry on.

It won't make the slightest bit of difference to what you're trying to do. So it will then take you through now. It will offer you a self assessment form. Don't even go there. All right?

Don't bother with the self assessment form because it will give you misinformation. And when the information, if you get caught out and the ICO say to you, how did you decide not to register?

You say, well, I filled in your form and it told me not to. Well, that's no defence because it depends on what information you put into it. If you process data electronically in any format.

So if you use your phone, if you use a computer or a laptop or emails or a website or so any kind of electronic system, you must be registered.

Robyn Banks: 00:16:18

And does that mean if you're capturing data. So say you do everything by paper, but you've got a website where you have a pop up where you ask them to sign up to your newsletter, you'd register.

What if you don't? If you've got just a website and you don't capture data on your website.

Speaker B: 00:16:34

I don't capture data on my website, but I still use emails. And we're processing data electronically here today. Listening to this?

Robyn Banks: 00:16:40

Indeed. Okay, that's fine.

Speaker B: 00:16:43

Just checking. It's everything, anything you do, if you switch an Electronic device on. If you have an answer machine, you are processing data electronically.

It's that basic.

Robyn Banks: 00:16:54

And does, Sorry, does this apply to handwritten diaries and handwritten consultation notes? Yes, yes.

Speaker B: 00:17:02

So this, since the: 1998

Robyn Banks: 00:17:08

Okay.

Speaker B: 00:17:09

So anything that's written, I just want.

Robyn Banks: 00:17:10

To clarify that because I think there's a bit of a confusion sometimes with that.

Speaker B: 00:17:14

No, that's. That's fine. Yep. No, it is everything electronic and paper.

Robyn Banks: 00:17:19

Okay.

Speaker B: 00:17:21

So you do go through and fill out a form. So if you are a sole trader, then you register in your own name.

If you have a limited company, then you have to register in that because that's considered to be a separate legal entity.

Robyn Banks: 00:17:32

Yeah.

Speaker B: 00:17:33

If you are a sole trader, you can actually register more than one business under your own name.

Robyn Banks: 00:17:39

Okay.

Speaker B: 00:17:40

Okay. Because you can then put in other trading names. So I'm registered as Robin Banks. Yes, they did accept it.

And actually bank robbing wasn't an option on the type of sector. So, no, it wasn't there. So, you know, I had no choice but to register as a trainer and a consultant.

And under that, you then have to go in and put in your. You have to put in your own details. They can contact you and then you can put in the other details.

You do not need a data protection officer if you are not a public authority. Okay. You don't need a specified data protection officer.

So you can just tick no to that one and you go through and you fill it in and it will come and tell you which tier it thinks you're in. Because there are three tiers to this. The tiers are based on how many employees you have.

So if you have 10 or less employees and directors are included as employees. So if you had 10 employees and two directors, you would then actually go over the lower tier limit.

Robyn Banks: 00:18:48

Okay.

Speaker B: 00:18:48

So it's 10 or less employees. And that is currently, and I say currently advisedly, 40 pounds a year, or if you pay by direct debit, it's 35 pounds a year. Okay.

And at that point, when you're looking to pay it, that's when they tell you how to do it. And you've got three choices to pay it.

You can pay it by direct debit, you can pay it by credit card, or you can pay it by sending them a check still, as far as I'm aware. So, yeah, I do it by direct debit because it just means every year they just write to me, say it's coming up. Yeah, it's much easier.

Robyn Banks: 00:19:22

This is £35 a year.

Speaker B: 00:19:24

£35 a year.

Robyn Banks: 00:19:26

And then also. Think about it.

Speaker B: 00:19:28

Yes. If you don't do it and you get caught out, it's a £400 fine to start with.

Robyn Banks: 00:19:35

Yeah.

Speaker B: 00:19:36

Okay. Just. Just for this bit. If you have more than 10 employees, you're then in the next set, the next tier up, which is 60 pounds a year.

And the fine for that starts at. There's no discount. And the fine starts at £600.

Robyn Banks: 00:19:49

Okay.

Speaker B: 00:19:49

If you have 250 employees, plus you're in the top tier, and that's £2,900 a year.

Robyn Banks: 00:19:57

It's a big jump.

Speaker B: 00:19:58

Yeah, Big jump. So, yeah. So even the big boys, Tesco's, etcetera, Etc. Still have to do this registration. Charities still have to do this registration. There is no.

There are some exemptions, but they are very tight, and they only apply if you only process data on paper. If you phone them up and ask them, they will assume that you are not processing data electronically, so you'll still get misinformation from them.

So if I were you, I'd take my advice and just do it, because it's not worth it to risk the £400 fine. No, that is registration with the ICO.

When you're going through that system, at one point, towards the end, it'll give you a reference number which will be your registration number, and it begins usually with a Z or an A.

Robyn Banks: 00:20:48

Okay.

Speaker B: 00:20:49

That number, make a note of it then. Because if we have to go to them because they lose it or whatever, we have to quote that number because it's the only way they can find.

It's a bit like the tax office. It's the only way they can find you.

Robyn Banks: 00:21:01

Yeah.

Speaker B: 00:21:01

Okay. So make a note of that number there and then before you come out of that system.

Robyn Banks: 00:21:05

Because if I recall, you don't see it much after that. No, if I remember rightly, no, you don't screenshot it. Do whatever you need to do. Record that number, whatever you need to.

Speaker B: 00:21:15

Do, but just make a note of that number and the date that you've registered, because if you haven't heard from them in three weeks, then they've lost it. So we need to then get in touch with them and get them to trace it through.

Robyn Banks: 00:21:24

Okay.

Speaker B: 00:21:24

Okay. And that basically is it. And as you say, every year they then write.

If you do direct debit, every year, they write to you about six weeks before it's due and say, this is coming up. It's due on this date. We're just going to Take the money. Has anything changed in the last year? So have you become a limited company?

Because if you have, then we need to change it if you all kind of things. So it just makes you think about it a little bit more.

Again, just, just bring up a reminder so that that is the easiest way to do it is by direct debit, without any shadow of a doubt.

Robyn Banks: 00:21:54

Yeah. So that's the registration.

Because I think, because I think so many people don't even realize they need to do it because I think they just think they're at home and they're, you know, they might be working out of their dining room or something or out of their kitchen and they, and I think there's a big problem in the industry at the moment is there's a lot of solo businesses that may be turning over, but like they don't, they're not needing to pay tax because they're kind of like part time side hustles kind of thing. But even if you're on a side hustle and you're taking someone's name down in any form, you have to register.

Speaker B: 00:22:27

Do you not, you are using it in a business con. This, this applies to data in a business context. Now an easy, an easy way to look at that is to think of it in this way.

So when I first started out, I was actually sending out a Christmas card every year to my business clients because that was my form of marketing. Hey, it's me. I'm still here. Right. I had two, I do all the Christmas cards for the family. So I had two lists.

I had one for the business and one for family. The one for family is domestic. Doesn't come under this legislation. The one, the list for the business, it's personal data.

I'm using it in a business context because. Covered by the legislation.

Robyn Banks: 00:23:08

Yeah.

Speaker B: 00:23:09

And I work from home.

I don't, I don't have an office because I tend to go out and see my clients if I'm going to go and see them or I do it like this on Zoom or whatever might be on the phone. So I don't actually have a designated office. My office is my home address. But I still have to register.

Robyn Banks: 00:23:25

Yeah, I think it's just, there just does seem to be a bit of a confusion.

One of the things so I think we're going to kind of weave in and out of so much of this stuff through this, this conversation, Robin, because that's just popped into my head is like I was saying to you about, we have a growing cohort of businesses that are on to the public look like Salon A, but within it, Salon A owner has decided to rent out space to professional bcd.

Now, Salon A obviously may, depending on their arrangements, they may have requirements of knowing who's coming into their premises for fire safety and that kind of stuff. So they may need to have like a register of who's there. So they are.

They need to be the ICO for their business and for whoever's got their people coming in that may need to give them their personal data. So is that. Obviously, this is quite a nuanced thing where you've got freelancers effectively within your premises.

So does that have any impact on who needs to keep the data or who doesn't need to keep the data? Do you need to tell your clients that you're sharing that data?

Speaker B: 00:24:32

No.

Robyn Banks: 00:24:33

No.

Speaker B: 00:24:33

And what happens is that. So if, if you do that, so you've got Salon A, right, And.

And say you are the salon owner and you have three people coming in, freelancers that rent a chair from you. Each of those ones should be registered independently.

Robyn Banks: 00:24:49

Yeah.

Speaker B: 00:24:49

Okay.

Now what you can do when somebody's coming in is you can ask them for a copy of their registration number and then you can look them up on the database.

Robyn Banks: 00:24:57

Yeah. So is that. So that, I mean, really and truly for, for compliance is. Would there be anything in the legislation that says that someone.

Owner has a duty to do that or is there anything in there that says that? Just. Just like. So, like, we know if we're. If we're stepping in a gray area or not.

Speaker B: 00:25:15

Yeah, kind of.

Robyn Banks: 00:25:17

Yeah.

Speaker B: 00:25:18

What you have to do.

So basically, not in data protection legislation as such, but in the terms of due diligence of who's coming into your work premises to work so that, you know, they're covered, I don't know, maybe by insurance or whatever they're doing, so they're running their business appropriately. You can ask for a copy of their data protection registration number.

Robyn Banks: 00:25:41

Yeah, yeah. Excellent.

Speaker B: 00:25:43

There's other documentation you have to have in place.

Robyn Banks: 00:25:46

Yeah.

Speaker B: 00:25:47

Now this is all. This doesn't mean changing the way you do things. It doesn't mean changing your practices or anything like that at all. That's not what this is about.

What this is about is just being aware that you are handling personal data and special category data, which is something we haven't covered yet.

Robyn Banks: 00:26:04

Yeah, we will get to.

Speaker B: 00:26:05

But we'll get to it. So just being aware that you are doing that and then how you show the big wide world, big bad world out there, that you're Doing that.

Robyn Banks: 00:26:13

Yeah.

Speaker B: 00:26:14

Because that's what then stops you getting sued because people then believe in your credibility and your reputation. So this is where this stuff is very powerful and useful because if you do it in an appropriate way, that's what you will build up with people.

Robyn Banks: 00:26:27

Yeah.

Speaker B: 00:26:28

So what you can do is, if you wanted to, what you could do is put your ICO certificate on the wall of the salon.

Robyn Banks: 00:26:37

Yeah.

Speaker B: 00:26:37

Premises. Yeah. If you've got. So what you have to have is, regardless of whether or not whether you have a website, you must by law have a privacy notice. Okay.

hen this changed into GDPR in: 2018

Robyn Banks: 00:27:03

Yeah.

Speaker B: 00:27:03

We're going to charge 3,000 quid a go.

Robyn Banks: 00:27:05

Yeah. Wasn't it just, Wasn't it just.

Speaker B: 00:27:08

And actually anything that you've got written by a solicitor probably isn't compliant.

Robyn Banks: 00:27:14

Wow.

Speaker B: 00:27:15

Now that's quite a broad statement to make.

Robyn Banks: 00:27:17

Yeah.

Speaker B: 00:27:17

However, however, the reason I say that is I write everything according to the ICO guidance because ICO are the ones that are going to find me if we get it wrong.

Robyn Banks: 00:27:27

Yeah.

Speaker B: 00:27:27

Okay. So the ICO guidance says it must be short. Solicitors hate doing anything that's short.

Robyn Banks: 00:27:34

Indeed.

Speaker B: 00:27:35

It must be concise. So it must get to the point. Solicitors don't like doing that either. And it must not be written in legal language.

Robyn Banks: 00:27:46

Which I do believe nearly every privacy policy. I saw a privacy notice. And around that time, I do, I do think they have.

I, I know mine's much simplified from what it was when I had my salon, because we did, we all, I think most of us panicked, went online. There was generic privacy notices that you could buy from solicitor websites.

I know, but, but, but it's that you don't know what you don't know, do you? I mean, I think I know in the salon sector at that time there was, it was a fear driven thing.

Speaker B: 00:28:16

Yeah.

Robyn Banks: 00:28:16

All industries, all industries, everybody was terrified. People going out and buying safes and.

Speaker B: 00:28:22

It really was people, people were deleting data left, right and center, not allowed to anymore. And. Oh God, no, it's a nightmare. So it was awful.

Robyn Banks: 00:28:30

So, yeah. Anyway, so it has to be.

Speaker B: 00:28:32

So let's get rid of some of these myths. Okay?

It has to be short, it has to be concise, it has to be in non legal language, plain language for anybody that wants to read it, can understand it. I can do them for about a page and a half of a four.

Robyn Banks: 00:28:45

Yeah.

Speaker B: 00:28:46

Right. Now, I had a Client come on board with me. Three weeks ago when I looked at their privacy notice, it was 19 pages long.

Now, as you can tell, I'm quite enthusiastic about this stuff because I know the impact it has on my everyday life as well as being my business. And I lost the will to live after page two. I mean, come off it, guys. So yeah, I just wrote to them and said, no, let's just get rid of half of this.

It's because people think that they need to put a lot of information in there and you actually don't. If you put a lot of information in there, what you're actually doing is leaving yourself open to get sued.

So the easiest way to do it is to just really compact it down and make it as general as we need to because then we don't have to keep looking at the blooming thing either. So if you've got a privacy.

And it should be a privacy notice now, not a privacy policy because they decided that a privacy notice was a much more user friendly term to use.

Robyn Banks: 00:29:44

Yeah. Which it is. And I think it says what it does as well, doesn't it? And it does. And it lends itself to that short, concise document.

Speaker B: 00:29:50

Yeah. And it has to have certain things in it, which is fine, which is why I can only get it down to a page and a half.

But we can put all that information in there in such a way that it just literally puts people's minds at rest. That's what it's for. It's not to detail out how you deal with data, what you do with data, what information you collect or anything like that.

It's just to put people's minds at rest. But you thought about it and you are compliant with the legislation. Yeah, that's all it wants to do.

Robyn Banks: 00:30:21

That's basically, I think, I think people feel, I mean, I can remember that, you know, there's all the stuff about data handlers and, and about third party this. I mean it. And it does, I, it feels, I think because as well it's law, isn't it?

So I think it has like a, you know, some ominous feel to it before you even start and it. And because there's a fear that if you don't get it right, something terrible is going to happen. In actual fact, you know, it is simple and like.

And one of the, and the service that you provide is helping people write their privacy notices in a short, concise.

Speaker B: 00:30:53

Manner so that it covers you. What you can't do is copy and paste someone else's.

Robyn Banks: 00:30:59

Yeah.

Speaker B: 00:31:00

Even if they're in the same industry as you.

Robyn Banks: 00:31:02

Yeah.

Speaker B: 00:31:03

Because there will be nuances in there behind that that actually mean you'd handle data in a different. Slightly different way.

Robyn Banks: 00:31:10

Yeah.

Speaker B: 00:31:11

Right. So I can give you an example of this because I. I am a member of Lions International.

I do a lot of charity work for Lions, but one of the things I do for Lions is this stuff. Because every club. We are. We are an association of clubs, and every club across the country, and we've got over 550 of them.

Robyn Banks: 00:31:28

Yeah.

Speaker B: 00:31:29

Has to have its own individual privacy notice.

Robyn Banks: 00:31:34

Yeah.

Speaker B: 00:31:35

Because some of them have got a website, some of them haven't. Some of them use Facebook, some of them don't. Some of them do this, some of them do that. Now, the basic premise is the same. We fundraise.

Robyn Banks: 00:31:45

Yeah.

Speaker B: 00:31:45

And we help people. That's the basic premise of why we're processing data.

So in your industry, the basic premise is there is we are offering these services that we know are in this industry and some on industry.

So everybody's technically doing the same thing, but each privacy notice will be slightly different because what we have to do is we have to take the business. So Client A. So Salon A. We have to take Salon A as being totally standalone from Salon B.

They might offer the same services, but we have to make sure that we work solely on that particular business.

Robyn Banks: 00:32:23

Yeah.

Speaker B: 00:32:24

Yeah.

So there's no conflict of interest for me if I do work for you or for somebody that comes off of this podcast, Even though you might be offering the same services, there will be slightly different nuances behind it, which means that it might change the focus of that as well. Now, if you have a website, you do not require a separate cookie policy.

Robyn Banks: 00:32:45

Okay.

Speaker B: 00:32:47

Cookies are wonderful things. Now, I am a complete technophobe. And sue will bear me out on this. I am a complete technophobe. I'm 60 this year. I really don't like the stuff. Okay.

I can make it work. And that's about it. Cookies are fat free and calorie free girls. Yay.

But they are little Internet files that mean, for example, that I can see you and you can see me through this zoom call. Okay. That's being done by cookies. That's essentially what cookies do.

Now, there are essential cookies, which means that they're the ones that have to make this work. Without them, it won't work. Therefore, they're essential. They're not covered by the legislation. Don't have to worry about those.

The main focus of this legislation, and it is part of the data protection legislation, it's not in the GDPR and it's not in the Data Protection act. But there are e privacy regulations that cover this bit. Okay, so cookies are covered because there are problems with targeted advertising.

Cookies, right?

So you go, you go on Facebook and everything comes up when you next go on Google, you go on Google and the next time you go on Facebook it comes up on there.

Robyn Banks: 00:33:55

But apparently they're not, they're not tracking us like that is what they always tell us, isn't it?

Speaker B: 00:33:59

Yeah. Right, yeah. Absolute rubbish. So this is the problem, right? So this is, this is the problem.

This is why whenever you get a cookie bar come up and 99 of people don't need one of those, but every time one of those comes up, always deny the cookies.

Robyn Banks: 00:34:15

Ages unticking those boxes.

Speaker B: 00:34:16

Exactly. But they're not allowed to then do that. And if you deny the cookies, they're not allowed to deny you service. That's illegal.

Robyn Banks: 00:34:26

Yeah.

Speaker B: 00:34:26

Okay. Now there are people that do it and I've been on websites, I'm like, really?

If you're going to make me do that and then not let me read what I want to read, you know what, go away, I'm not interested. So it's. Yeah, but actually that's illegal because it shouldn't affect what you're trying to do.

Robyn Banks: 00:34:42

Yeah, they need to like anyone that does have a website needs to speak to their, either their website designer or their website provider.

Speaker B: 00:34:51

Right, yes, because. But I can do that for you as part of doing. Yeah, so I can do cookie. Not me personally of course, because I'm the technophobe in the family. But I did.

My systems administrator is brilliant and he can just do it for me at the touch of a button. So he's a good lad.

Robyn Banks: 00:35:06

Yeah.

Speaker B: 00:35:07

Now cookies, what you have to do is they're in this regulation, the privacy regulations, there is a section that says you have to have a cookie audit done on your website which then lists all these non essential cookies. Okay. And the results of that get built into your privacy notice.

Robyn Banks: 00:35:33

Okay.

Speaker B: 00:35:34

Okay. So that it shows that you've done it and what the results were.

So that I know when I visit your website if I look at your privacy notice what cookies your website is using.

Robyn Banks: 00:35:44

Okay.

Speaker B: 00:35:45

Okay. No, we don't list them.

Robyn Banks: 00:35:47

Okay. I was going to say could be long, couldn't it?

Speaker B: 00:35:50

No, we don't list them. We just have to summarize what the cookies are doing. So it might be.

If you've got a Google recaptcha on there, then we might have to put a little bit more in because that uses cookies in a slightly different way, but it's all up here. That's what we have to do. Right. So if you're using for analytics or for security purposes, then that's all we put into the privacy note.

Robyn Banks: 00:36:11

Okay.

Speaker B: 00:36:12

So you don't need a separate cookie policy. The law says that if you have a website, you have to ask your web developer, or in that case us, to do a cookie audit. Okay.

So that you can incorporate those results into your privacy documentation.

Robyn Banks: 00:36:32

Okay.

Speaker B: 00:36:33

If you don't ask your web developer, you as the website owner could be fined a thousand pounds.

Robyn Banks: 00:36:39

Wow. Do you know what this is, this is a learning moment for me because I, I, yeah. This is why I love to web developers tell me.

Speaker B: 00:36:50

Yeah.

If the web developer refuses to do it, the or doesn't offer it to you when they're building the website, the web developer is also in line for a fine of a thousand pounds.

Robyn Banks: 00:37:01

Wow. Okay. Do you know that is such a. Yeah. Speechless. Never know if you have a cookie.

Speaker B: 00:37:11

Bar on your website. What you are doing is preventing people from coming into your website.

Robyn Banks: 00:37:16

Yeah.

Speaker B: 00:37:17

Because people don't see it, panic, don't want to do it and we'll come away, walk away from the website. Even today it is still people putting people off and going into that. Absolutely.

Robyn Banks: 00:37:28

I hate them. And I know I've got, I know I've got a reject or accept.

Speaker B: 00:37:32

When this came in, in: 2011

years or since: 2011

Robyn Banks: 00:38:07

So, so because I know that if I, if I'm a bit gobsmacked by this and this, this new knowledge to me, I mean, maybe I'm the only one, but I've been, I've built my own websites on and off for years. I've had a web developer build my websites who's a professional web developer.

Speaker B: 00:38:27

Cookie audit.

Robyn Banks: 00:38:28

No.

Speaker B: 00:38:30

Perhaps you don't know he's going to get. Find a thousand pounds a website.

Robyn Banks: 00:38:33

Well, fortunately that website is no longer. But, but like now I've got my, like my website. I've built mine with Ionos for example. And that it comes with an automatic cookie bar.

And I've just thought, oh, that's good, because it's doing it for me. I didn't have to do anything, but I don't even need it because I'm not. I don't want those cookies. I'm going, that's a job for later.

Speaker B: 00:38:53

I mean, we could do a cookie audit on it for you and see if you do need it. But, you know, I don't think.

Robyn Banks: 00:38:58

I don't know. I don't know, Robin.

Speaker B: 00:39:01

Exactly. You don't know what you don't know and that. I don't know. I just rely on. On dear hubby because he's into computers to do it for me.

And he says, well, they've got these, these and these, and this. This is what? This. And he goes into all the research on it. He loves it.

He goes into all the research on it and says, well, that cookie does this and that cookie does this, and that cookie does that. And then I. From that, I then build it into the privacy notice. And it comes in about, I don't know, four sentences. Five sentences.

Robyn Banks: 00:39:25

Okay, so we can turn them off, though, if we don't need. If we're not. If we're only capturing essential cookies. And that's all. I mean, I wouldn't even know what to do with a cookie.

Pop meat it, obviously, but. Yeah, well. So, anyone listening, if you're not aware about your cookie audit, speak to Robin.

But also, if you've got a web developer, ask them why they're not asking you.

Speaker B: 00:39:48

Huh? Because I bet they don't know. They find line for a thousand pounds. Line themselves. You and you as the web owner and the web developer.

Robyn Banks: 00:39:56

Wow.

Speaker B: 00:39:56

Yep. So if you did get investigated by the ico. Now, the ICO have exactly the same powers as hmrc.

They can just turn up on your doorstep and ask to see all your procedures and everything else. Right? So if they then go and say, well, where's your cookie audit? I needed one of those thousand pound fine.

Robyn Banks: 00:40:13

Yeah. Because. Because saying you don't, you didn't know, doesn't.

Speaker B: 00:40:17

Is not a defense.

Robyn Banks: 00:40:18

Not a defense.

Speaker B: 00:40:19

It's not defense. And ignorance is not a defense in the law.

Now, with privacy notices, you will find, if you go on the ICO website, they've had a nice little AI tool put in there to build privacy notices.

Robyn Banks: 00:40:30

Nice.

Speaker B: 00:40:31

That's nice. But AI is no respecter of privacy. And it's no respect for copyrights, no respect of intellectual property, and it doesn't do privacy by design.

No so if you did that and went and got that written by them instead of paying me the little bit that I'm going to ask you for to do it, then you're gonna be not covered and you could end up with a thousand pound fine or up to 5,000 pound fine.

Robyn Banks: 00:40:55

Yeah, okay. Okay.

Speaker B: 00:40:58

So what I'm doing, I know this is getting scary, and I know this is scary, but if I don't warn people, they don't see the value of what we're doing.

Robyn Banks: 00:41:05

But this is one of the reasons that when I, I mean, and the reason that I asked you on was because I saw something on a forum the other day and it was like a knee jerk reaction to me because I know what you do. And it was like, Robin, is this okay? Can this happen? Because I don't know.

And like, to me, like, since I've known you for the last, like whatever is 18 months or so is like, is the, the thing to do is go and ask Robin, because like, this is your specialty. And as we, we all know with anything, if you don't know, go and find an expert that does. And compliance of any law is really, is just hard. It is.

Speaker B: 00:41:43

Without understanding what I'm trying to do here and what, what we are trying to do here on this podcast is to break this down into understandable chunks so that people get it. People only realize the value of what they do if they realize what can happen to them if they don't do it appropriately.

Robyn Banks: 00:41:59

Absolutely.

Speaker B: 00:42:00

Because there is, there isn't a right way and a wrong way. There's no wording for this in the legislation. Okay. So you can't just lift the wording out of somewhere.

So you need somebody that can take it, take what you do and take the legislation and make this happen.

Robyn Banks: 00:42:13

Yeah, Right.

Speaker B: 00:42:14

So I'm not a legal specialist. This is what I do.

Robyn Banks: 00:42:18

Yeah.

Speaker B: 00:42:19

Yeah. So it only by, and only by telling people this is what can happen if you don't do it. And I'm not saying people have to do it.

They're not saying people have to use me. There's no obligation at all. But this is.

You have to know what the pitfalls are and what can happen to you if you don't take this seriously at some point.

Robyn Banks: 00:42:37

Yeah, absolutely.

Speaker B: 00:42:38

And you never know when it's going to come around and bite you on the backside.

Robyn Banks: 00:42:42

You know, I mean, the chances of the ICO picking on somebody like us, I would imagine is probably less so, but it doesn't mean it doesn't happen.

And if they've had if there's been calls for concern raised or they're just doing a sweep of the area and they just randomly pick people they don't know this is. And rather than. That wasn't. I suppose.

I mean, but I mean, sometimes you can kind of assume that kind of stuff from websites and from social media and stuff. But I don't know how much time the ICO have on their hands to go like stalking cases.

Speaker B: 00:43:13

But, I mean, I have had a couple of clients who've come to me after they have been approached by the ICO and they're on the point of getting fined and I managed to get them off it.

Robyn Banks: 00:43:21

Yeah.

Speaker B: 00:43:22

You know, we have had people that I know are getting fined and we just have to look out for it. You never know about the out of court settlements. That's the other problem. So you don't know a lot about that kind of stuff.

But there are individuals have been fined. You get seven days to pay the fine.

Robyn Banks: 00:43:38

Is that all?

Speaker B: 00:43:39

That's all. And it could be quite a lot of money. So this is what you need to think about.

And when you balance up what you're paying out in terms of the ICO fee and my fees, is what you're getting against what could potentially happen.

Robyn Banks: 00:43:55

Yeah, yeah.

Speaker B: 00:43:56

So I'm a bit like an insurance policy.

Robyn Banks: 00:43:59

So everyone watching and listening, we are having a few technical issues today between myself and Robin. Our Internet keeps dropping out, either at her end or my end, so this could be a bit disjointed.

But Robin had just been saying about the services that she offers. So I'm going to ask Robin to start that again and I'm going to try and cut it in really cleverly, just in case it doesn't work properly.

So, Robin, please again, tell us what services you offer.

Speaker B: 00:44:21

Right, so basically, anything that I do, if you don't have that in place, then you could be fined for it. So we're looking at. I can't do the ICO registration for you, but I can help you with that.

I can draft a privacy notice for you, appropriately written for your individual business, which will include the cookies. If you have a website, I can do the. Give you a piece of text that needs to go on your emails and.

Or forms that you have, whether they're on paper or electronic. You need those kind of things on there. And I can give you what's called an accountability document.

Now, accountability document is something that's new under gdpr. Excuse me, I'm going to talk. Right, so the accountability document is something that's new under gdpr.

Again, there is guidance in the ICO stuff of the concepts they want to see in there. But you hold that internally. Okay. So you hold that in case you ever get needed for it.

But it will include something about your organizational and technical measures to protect the data. And that's as technical as I get.

What that means is, technical measure is you have password protections on your computers or your phone or whatever else. Basic protection like that. It doesn't mean you have to have 128 bit encryption on anything.

Robyn Banks: 00:45:46

Okay.

Speaker B: 00:45:47

The security level you have to have on stuff is what's readily practical and feasible for your business. Okay.

So all this stuff is what's considered to be practical, feasible and reasonable for your business to put in place to help you to protect people's information.

Robyn Banks: 00:46:06

Okay.

Speaker B: 00:46:07

Okay. So it doesn't mean you have to go out and buy a whole load of expensive encryption or anything else like that just isn't needed.

If all you need to do because you're working from home is to just make sure that the kids can't get into your stuff. If they nick your laptop, then that password, protect that area. That's it.

Robyn Banks: 00:46:26

Okay.

Speaker B: 00:46:29

Now, so I can write the accountability document for you as well. And the other thing I give you is a starting procedure for subject access requests.

Go and find the data, then get in touch with me and then we'll decide what we're going to hand out, what we're not going to hand out. Because you don't just hand everything out. You don't just photocopy everything and hand it over to the person.

There are certain rules and regulations around this kind of stuff which I could go through now, but nobody's ever going to remember it. You might not have a request for five years, so there's no point.

Robyn Banks: 00:47:00

Point, no. But that's a robin, if you ever get one.

Speaker B: 00:47:03

Exactly. So that, that's basically what you get as the package deal. Okay. And that's, that's your.

Effectively, apart from the ICO fee, that's your initial layout. And I do that for under £200 nil VAT.

Robyn Banks: 00:47:18

Wonderful.

Speaker B: 00:47:19

Right. So. And that's your initial outlay.

Robyn Banks: 00:47:21

Yeah.

Speaker B: 00:47:22

After that, you don't have to pay me a retainer, you don't have to keep me on the books. You don't have to.

If you've got a question later on down the line, then just send me the question later on down the line and I will answer it if I can. If I, if, if it's going to take me Quite a bit of work to do that for you. Then I may say to you, look, this is going to take me some time.

I'm going to need to, to just make a small charge and that's my hourly fee. But that's kind of what we agree at the time. So, yeah, clients come back to me and say, oh, can you do this bit for me now, Robin?

So, yeah, that's fine. We have to put a paragraph into terms of business, for example.

So if I do that, then that might take me an hour, it might take me two hours, depending on what, how your business is set up and what you do. So that will either be one hour to charge or two hour charge, but I'm only going to charge you for the whole hours that it takes me.

Okay, so that basically is then making you compliant as far as the big fat wide world is concerned. Okay. Because there's stuff that they can see, you've got stuff that you can hand over if the ICO and ask for it.

It's all appropriately written to your business. It's all written in line with the legislation, I. E. There's no legal stuff in there because people don't understand the legal stuff.

When I go and introduce myself and tell people what I do, the look I get is basically they're holding up a wooden cross or a piece of garlic against me. Right?

Robyn Banks: 00:48:44

Yeah, because it's like, I think it's probably because of that fear of it.

Speaker B: 00:48:47

And it's fair and I get that, you know, if you got these things, I'm going to rub your banks in.

Robyn Banks: 00:48:52

ody that was in business into: 2018

And actually it went to: 1201

In actual fact, you just had to put something on your website and that was really it.

And just make sure, looking at your stuff securely within a written environment, if you had, if you had pen and paper and just make sure that you are holding. I think a lot of it as well comes down to you have to hold the data how you would want your data held. Isn't it?

It's like so many things, be kind because you want people to be kind to you. And I think that's what it is, isn't it? It's just like, you know, treat others how you would have them be unto you and all of that.

Speaker B: 00:49:59

Yes, exactly. So that's exactly it. That's the rule of thumb. And the same with, like, we were talking about writing those comments on things. Yeah.

So if you write comments on paper, just, just think, well, actually, would I like that written like that about me? And if the answer is no, then don't do it about somebody else. Just respect their privacy by doing it in that way.

This is not about being nice and nicely to everybody. This is about just being factual effectively.

Robyn Banks: 00:50:24

And I think people forget that, don't they? And I think especially with what we do for a living, we are very personal, we're very intimate with people. And I think there's.

It allows boundaries to be blurred. And I think people. Or that you feel you have to be really nice all the time or you, you know, you're not allowed to say the real truth and.

No, actually you can if a client's difficult and, you know, like, like, you know, take for example, like zero tolerance and stuff. Now, you know, we get a lot of abuse in the industry. Not as much as doctors, receptionists, but we do get a fair amount of abuse.

And you are allowed to document it if, if a client is unreasonable. But you have to, you've got to do it in a way, you know, you can't say, you know, Mrs.

Smith, you know, came in and shouted her mouth out and swore at me, and she said this and she, you know, you just have to say there was a disagreement, you know, and, and we.

Speaker B: 00:51:15

Agree, you might be feeling that you're toning it down a bit. I often, when I write stuff, I write it one day, I then read it through the second day and then I send it off the third night.

Robyn Banks: 00:51:22

Yeah.

Speaker B: 00:51:23

Partly because I do a lot of typos, partly because I've got problems with my eyes and I can't see properly. Don't always see the typos, but it's. You can then take all this. So when I write a letter of complaint, I do it that way.

So I take all the emotion out of it. If you are cold in things that you write down, then you can't get into trouble for it because it will stay factual and people can't argue with that.

And if they can't argue with it, then you ain't going to get fined for it, you ain't going to get sued for it. So that's, that's basically the way to go for it.

Robyn Banks: 00:51:54

Yeah, but very much like the privacy note is short and concise and to the point, isn't it? That's all it needs to be. So shout. Should we move on? Because that's, that was a lot of information.

So let's lighten things up now with third party booking systems. And you know, this is stuff that, I mean we aren't the only industry that uses.

Obviously there's loads of industries that use third party booking systems, but we do, in, in the course of our businesses generally we will have some kind of online booking system, whether that's on a website, whether it's via Facebook, whether it's via Google, whether it's on your phone. You know, there's, there's multiple ways that people can interact with us in the way. We then also have marketing tools.

So you may be using mailchimp or Brevo or Mail Alight or whatever system. And then we also have a supplier interaction which generally we don't share like client information with.

But then equally they have a responsibility to us and with our data as well, don't they? So I don't know. So how, how do we need to approach when we start having third parties that might have access to our data?

Speaker B: 00:53:00

Right, okay. So this is all down to, to actually how we do the systems. So let's start with the booking systems.

Okay, so anybody that is not the data subject is a third party.

Robyn Banks: 00:53:16

Yeah.

Speaker B: 00:53:17

So Mr. Smith is a third party to Mrs. Smith.

Robyn Banks: 00:53:20

Okay.

Speaker B: 00:53:21

Okay. So you can't share Mrs. Smith's data with Mr. Smith.

Robyn Banks: 00:53:25

No.

Speaker B: 00:53:25

Right. You can only share it with the data subject, the person it's about if.

Robyn Banks: 00:53:31

They give an express, like unless they give express permission.

Speaker B: 00:53:34

So yeah, I often have because my husband's better on the phone than me. So I often have to give permission. Yeah, yeah, yeah.

Robyn Banks: 00:53:40

My husband always gives permission for me because I'm.

Speaker B: 00:53:42

Yeah, exactly. There you go. But that is you giving your consent for that to happen. Okay, so that's fine. Now you only have to give that once.

Robyn Banks: 00:53:50

Yep.

Speaker B: 00:53:51

Every phone call.

Robyn Banks: 00:53:53

Right. They don't get it, do they? Some organizations don't get it.

Speaker B: 00:54:00

I first started doing this stuff 20 years ago was just as I got together with the gentleman I'm now married to and he'd be going, oh no, not again. She's hiding under the table. Now it's me that has to hide under the table because he's going.

You do know under data protection you can't do that, don't you? And I have got an expert here if you need to speak.

Robyn Banks: 00:54:17

But the thing is, it's just laziness. I mean, every organization should like.

And actually it's a point because if someone has, say you have someone that comes to your business that's vulnerable, whether they're a minor, whether they're someone that's got mental health concerns, that they have someone that attends with them because they have whatever situation or whether they're an older person that has someone come with them or has a carer with them, once they've given you, like, if, if you know that there's that scenario or that you know that maybe they've got dyslexia and they can't write the forms out that you need written, that if they have someone that does that for them, you just need to make a note, don't you, that that person isn't something that they have, that you should be asking them every time you should make something like available that is clear in front of you.

Speaker B: 00:55:00

They have brought somebody with them to do that. That is their consent for that person to do it. You don't need to ask them for their consent. You don't need to document their consent.

You just need to know on the form that that has been completed by their carer. Yeah. So that you know when you're looking back on it that that's the case. Yeah, that's it. All right. You don't need to then keep asking.

In fact, actually, if you keep asking them, you're breaking the law.

Robyn Banks: 00:55:27

Yeah.

So as long as it's documented that they have someone that assists them and it may be that person might change, but if they attend with that person, they may need.

Speaker B: 00:55:38

You can make a note on their record that that's the case. If you make a note on that day that that's the case, that's called a legal contemporaneous note and that is legally binding.

Robyn Banks: 00:55:49

Okay. And that's the only time you have.

Speaker B: 00:55:50

To ask them and we don't then have to ask them. We, we can't ask them. They may not be able to give their consent for whatever reason. So that's the way it works.

If they're over 16 and they're, and they're. But they are with a parent, it's still their responsibility, not the parent. You can't do it to the parent. If they're over 16.

Robyn Banks: 00:56:11

Okay.

Speaker B: 00:56:11

Okay. But up to 16 and vulnerable people, it's a given okay. We don't need to keep asking.

We don't need to even ask in the first place, because the reason they brought somebody with them is because they may not be able to voice that consent in the right kind of way. So, therefore, that will then cover that. Okay? So that's important. But they are still a third party.

So when we have a look at this stuff, we are looking at. So if you've got your booking system, you are putting the data into that booking system.

You're responsible for that data because you're still the data controller for it, because you're the one that's entered it. So you have control over that data because you've decided it's going into that booking system, whatever it might be, it's going into that.

You've chosen that booking system as the data controller. You have responsibility for that data.

Robyn Banks: 00:57:02

Okay.

Speaker B: 00:57:03

Now, your booking supplier. Booking system supplier has a duty to keep that box that's got your information in it secure.

Robyn Banks: 00:57:13

Yeah.

Speaker B: 00:57:14

If it gets hacked, it's down to them.

Robyn Banks: 00:57:17

Okay.

Speaker B: 00:57:19

Especially. Especially if you've got a privacy notice written by me. Because that will have. Because that has to have it. That you're working with third parties.

But what I put in is a nice little gate that is solid. So if something does happen to the data, like it get. Like the booking system get.

And I have had this where the booking system gets hacked and we have to notify people that their information has been potentially disclosed out there in the big wide world and we have to offer them help to deal with it. Yeah.

If we do that, we aren't going to get sued because in our privacy notice, we have a nice little gate that comes crashing down that says that's your responsibility, not mine.

Robyn Banks: 00:58:02

Yeah.

Speaker B: 00:58:03

Okay.

Robyn Banks: 00:58:04

Responsibility, isn't it? Because it's not in our control.

Speaker B: 00:58:06

Yeah, exactly. So you can't. You can only. You can only be responsible for data you can control. So you are controlling. Put it into that system.

You've chosen that system. That's the way it is. Hacking is now so widespread that, you know, it's a way of life. It's not a. It's not something we can necessarily.

You cannot make something 100% secure. It's not physically possible. Doesn't matter what level of encryption you put on it. The more people have access to it, the weaker the security on it.

Okay. So that's something to bear in mind when you're looking for your system, of how you're going to do it.

You can ask for a copy of their own ICO Registration number, you can have a look at their privacy notice because it should be on their website. Yeah, things like that.

And if you're not sure about it, if you think that doesn't look quite right and you will get a feel for it, if you think it's look at something you think that's not quite right, then you can always ask me or have a look at another one. Right. Because that's what your duty of care is, to find the best system that a works for you, but also looks after your client data.

Robyn Banks: 00:59:09

Yeah.

Speaker B: 00:59:10

Now we then have a situation, as I understand it, particularly to your industry, where that information then is difficult to extract to put into another system if you want to use it.

Robyn Banks: 00:59:24

Yeah. This is what I why I came to you in the first place, because I think I'd misunderstood what the problem was.

I thought that they were actually having a, a refusal of supply for their client data, but what it actually turns out to be is a mismatch between the system they're on and the system they want to move to, and therefore the company were unable to supply their data in a format that they would then be able to use.

Speaker B: 00:59:49

That's, that's illegal.

Robyn Banks: 00:59:51

But.

And because to me, I mean, I was saying just getting to send it to you in a CSV file because it might not be a very pleasant document to read, but you'd still have the data.

So you could then go and do a find and whatever and you'd be able to locate that person's information on the CSV file, which obviously people don't know what CSV file is because I have to fit like I like Excel, so I know what CSV file is, but it's a comma separated value which is basically just your data in cells on a spreadsheet is the easiest way to explain it, isn't it? I mean, it is in its true form, it isn't that.

But when you, most of us see it in an Excel spreadsheet and it just goes name, address every field you have on your form. So if it's name, address, medical history, different tick boxes or whatever, every single thing that is on your form will appear into a CSV form.

But the problem seems to happen then if you want to transfer that into a new system, it may not always flow well.

Speaker B: 01:00:44

Right. So the thing to do is, when you are looking at a new system is to say to them, so if I want to extract some data, how do I go about it?

Because you have that right. Not only do you have that right, but me as an individual who's got my data on that system has a right.

So we have several rights under the legislation as individuals and one of those is called data portability. The easy way to explain data portability is actually in the banking sector.

So back in the good old days when I was a lot younger than I am now, when you had a bank account account and you wanted to move to a new different bank, you had to write to everybody that you had direct debits with or standing orders with to get them to switch over to the new bank account. Right now under this law we don't have to do that anymore.

The bank, the banks have a duty of care to make sure that if we switch from HSBC to Barclays, other banks are available, HSBC to Barclays, then HSBC have a duty of care to me as the individual asking for that to happen. Of data portability, all my data is automatically switched across to Barclays, all my direct debits, all my standing orders, everything.

And they then get back in touch with the companies and notify them of the new bank details. I have that to do a thing. I have that right under data portability. Now the same with your stuff.

I have the right as a client if you decide to move my data from one thieves system to another system, data portability says that I shouldn't have to give you consent to send off to the first company for it to go to the second company. It should be that it should move across in another format. That's their responsibility to do under the law to protect the data.

Robyn Banks: 01:02:35

But I think the issue could be, and this is because they're all private, they're all private businesses and so they set their forms up in whatever way they choose to. And so if form A doesn't merge with form B, you've then got a lot of potential missing data or data in the wrong place.

And it's, and so, I don't know, so, so do they have, I mean are they, are our booking system companies potentially? You know, is it something. They should just have a standard form and that should be how it is because it's, I mean it's difficult thing.

Is it because like.

Speaker B: 01:03:12

Yeah, on the back end. So it can look different. Yeah, so it can look how they want it to look.

And you might think, well I actually like the form way that's formatted better than the way that's formatted which, which is fine and there's no problem with that. But on the back end they should be able to extract the data from One to be able to go into another.

Robyn Banks: 01:03:30

Yeah. And so if. So if booking system refuses to do it.

Speaker B: 01:03:35

So if they refuse, if booking system A, you want some back to particular data that you want to transfer of data subject B. Okay. Data subject B, you want to move their data from booking form A to booking form C. Yeah. Okay.

Then data protection B, Person B should not have to give booking form A's company permission to move the data. It should happen automatically. If they are having problems, then the way to do it. So if it's from salon to salon.

Robyn Banks: 01:04:11

Yeah.

Speaker B: 01:04:12

Okay. Then the main way around this because the booking system may just dig their heels and say no.

If they are looking to say that, then the way around it is to get your client to go to sales salon A and give them written consent to send the data over to salon B.

Robyn Banks: 01:04:33

See now that's something I've never even. And I don't know that we, I don't know that we'd ever get that request.

Speaker B: 01:04:37

Maybe an aesthetics by law, okay. If I've chosen that, that's how I want my data processed. I want to move it from Salon A to Salon B. I have that right.

I have the right to say to salon A, tough, I'm not going to come to you anymore. I want my data moved to that other channel.

Robyn Banks: 01:04:58

Well, that's, that's a. That's a. I don't.

Do you know what, it'd be interesting actually to know if any salons have ever had this request because I think it's not like moving doctors or moving dentists. I think maybe with aesthetic practice, maybe it may be more because it's slight invasive.

But moving with having your nails done, you wouldn't necessarily want to move that data. And I think usually it's a salon owner wanting to change systems is where we seem to come across this more.

And they want to, they want to update a system or you know, they've discovered the one they were using now charges for something they don't want to pay for any longer and then they want.

Speaker B: 01:05:32

Then they have the right to move all of their data to another system and that should happen through the back end seamlessly. That should be. That shouldn't need to be any other thing than that because you're paying, you're playing supplier B. Booking system A for a system.

Robyn Banks: 01:05:52

Yeah.

Speaker B: 01:05:53

Not for the data that's held in it, because the data that's held in it is still under your control. You're the data controller for it. So you have the right to move it from booking System A to Booking System B without any obstructions.

Robyn Banks: 01:06:08

And so if they offer to provide you that in a CSV file, as long as they.

Is that sufficient, if they provide that for you in a CSV file that you can forward, and I suppose then it just comes down to whether there's a compatibility of format fields as to whether that then uploads into the other one and then that's booking System B's problem to resolve.

Okay, because it is, I think this is, and I know that that poor salon owner, I mean she had, I think it was something like 3,000 clients to move and to manually have to re enter all that information. I mean it is just painful.

Speaker B: 01:06:47

So you, as the data controller have the right to ask that to happen.

And as your supplier of the box, they have to allow it to happen because they have to allow you access, they have to allow you to be able to download any information you want to be able to download, because as the controller you're responsible for that data. So if they get hacked.

Robyn Banks: 01:07:11

Yeah, yeah.

Speaker B: 01:07:12

So you just have to explain, basically.

I mean, I had this with a chiropractor client of mine who got in touch with me and said, oh God, there's so many people coming to me and saying, because they've used this system and we've all used this system because this is the system we were told to use. And, and that was like a content management system.

It was, they're holding all their client records and it got hacked and so they'd been notified that it got hacked and potentially this is the people that have things. So I told her what to do, which is basically go through the list of people that could potentially be affected.

Could any of their financial information be disclosed? And we whittled the number down from about 300 to about 70 where actually the financial information could have been compromised. That's the key.

So a lot of the other people that she was on the system with in the same business were getting threatening letters from solicitors from their clients saying, why have you done this? What have you done this? And we cut that down by just explaining hacks happen. This is what's happened. We've been notified of it.

This is potentially the data that has been. So we had two letters, we had one for the non financial data and one for the financial data because it's slightly different.

And we were send a letter out to all the clients saying, look, unfortunately this has happened. It's the way of the world these days. We've notified you as soon as we've Been notified of it. We don't use this system anymore.

But this is the data that's potentially been. If you do suffer anything that you think might be related to this, then let us know and we'll help you manage it.

We didn't get one letter from a solicitor. No one.

Robyn Banks: 01:08:54

Yeah.

Speaker B: 01:08:54

Because if you're open and transparent about it right from the start, this is why I'm saying if booking System A or Salon A won't release the data on a data subject to Salon B, Salon B gets the data subject to just give consent to Salon A to transfer the data because they have a legal obligation to do that if they've been told to do it by the data subject.

Robyn Banks: 01:09:19

Yeah. Okay. Yeah, because I think, as I said, I don't know that that comes up. It may do in some. I've.

I've never had a client ask me, but I suppose if you're, as I say, if you're doing injectables or something like that, you would need to know where you've been injected and all that kind of stuff. And so then there may be a transfer of notes that needs to occur. Okay, so one, one question that's popped up in my head.

Or two, actually, two questions that pops up in my head with this. So we're going to be here all that.

This may have to go into two episodes, but I use, for my business, I use Jotform for my client consultation forms in one part of my business. And I have got them encrypted with some great long encryption code which you've just told me I don't need. Is that right?

Because my phone is password protected, my computer's password protected. I don't need. Because. Because it's their medical history form. So I just thought, no, I'm going to put. I'm going to do encryption.

I'm going to be really good here.

Speaker B: 01:10:14

Yeah, no, so that's entirely up to you. Right.

Robyn Banks: 01:10:17

Okay.

Speaker B: 01:10:18

The basic thing you need is password protection. Do you need to pay out for very expensive encryption? Not necessarily, but medical data is slightly different. Right. So I did.

I do remember that in a previous incarnation we'd said, we come onto this. So personal data is any information that relates directly or indirectly to an individual. Within that we have special category data.

Special category data is any information for which in this country we have anti discrimination legislation, except age. Because you're a data subject from before you're born because of scans, until after you pass away.

Because when you pass away, all your personal data goes to your next Ticket.

Robyn Banks: 01:10:59

Yeah. Okay.

Speaker B: 01:11:01

So. But it's still there. Your personal data is still there. So age is not. Doesn't come into this, but anything else.

So it is race and ethnicity, sexual orientation, political beliefs, religious beliefs, physical or mental health or condition.

Robyn Banks: 01:11:24

Okay, okay.

Speaker B: 01:11:26

Because we have. You can't discriminate against somebody because of their. We have the disability discrimination legislation.

So that is the main one you're going to come up against because that's medical. Right.

So as you were explaining to me, if somebody's got diabetes, which I have, you can't necessarily do certain treatments on them because of what the condition that they may have leading on from their diabetes, which is absolutely fine. But that is medical information.

Robyn Banks: 01:11:54

Yeah, yeah.

Speaker B: 01:11:55

Allergies are medical information information lately. So all that kind of stuff. If you have got that from the client, you have their consent to process it.

Robyn Banks: 01:12:06

Okay.

Speaker B: 01:12:06

Okay. You need expressive consent to process it. If I give you that data, that's my consent.

You don't need to then say, I actually physically give you my consent to process my. No, no, no, no, no. That actually gives you that, that, that allowance.

So when you are clearly keeping the medical data, just maybe think about how you might feel more comfortable with your medical data being helped. Okay. Me, for example, I'm not particularly happy with the NHS holding my medical data because they keep getting hacked and ransomware.

Indeed they do, because they've got out of state.

Robyn Banks: 01:12:44

I haven't worked in the NHS for a long time, but I know when I did.

I mean, I'm sure they've, they've changed, but I mean, I'm sure when I've looked over reception counters, there's quite a lot of data sitting on that side.

Speaker B: 01:12:58

I. I had a problem with my. I've got problem with my eyes now. But a few years ago I had a real bad problem in my eyes. I couldn't see at all.

Robyn Banks: 01:13:05

Oh, goodness.

Speaker B: 01:13:05

My husband had to take me down to the eye clinic at the hospital late at night. We got an emergency appointment for me to get sorted out. Right.

And I couldn't see, so he had to take me down there because he was leading me around everywhere, literally couldn't see.

And as we're walking through the corridors, he actually turned around to me and said, it's a good job you can't see, Robin, because I'm walking past trolling loads of vinyls. Yeah, Just in the corridors. And then we went through the door and just taken them.

Robyn Banks: 01:13:29

I mean, it definitely used to. I mean, I can remember the medical records, girls.

I mean, like, I Mean the medical record vaults were huge when I worked at guys and you know they'd just be, they'd walk around, they had trolleys, they pull around the hospital and they'd leave in corridors and I mean no one's ever going to go through those, are they?

Speaker B: 01:13:45

But, but you never know, somebody might just go in and whip one and see what they can do with it because this is what people do now. So yeah, it's. And then you don't know what information's in there as well.

So there could be information there that they can use to their advantage if they are targeting somebody. So you never know what a criminal is going to do with data. So protect it. If you've got paper files, keep them locked away.

If you've got them in a salon, keep them in a filing cabinet. If you've got them electronically, keep them password protected, bare minimum.

But bear in mind if you've got medical information in there, just bear in mind how you would like yours to be protected. So if you would like yours behind 128 bit encryption then that's what you need. That is a business cost that you've decided you need to put in place.

What I'm saying to you is there is a bare minimum requirement to keep the data secure I. E Behind password protection protection.

What I'm, I'm not saying don't do it, what I'm saying is there's nothing in the law that says you have to go out and buy 128 bit encryption. It says you must keep the data secure full stop.

Robyn Banks: 01:14:47

And it is, and it's like with mine because it, I, I obviously everything's password protected on my phone. And then it was like, do you know there's an option here that I can increase. I mean it's a free service, I don't have to pay for it.

But it's like, I think it's like, I think 12 or a 16, multi symbol, whatever. You know that thing.

I've actually, I have had to write it down in another password protected area of my phone so it's password protected twice before I, to get to my encryption. It's like. But it's per.

Is people's personal information and it has got all of their information about all their medical history and I just think, I don't know, I think it's, there's, there's, there's minimum requirement and then there's best practice, isn't it?

Speaker B: 01:15:26

Yeah, so it's kind of. But what's best practice is what's best practice for you.

Robyn Banks: 01:15:31

Yeah.

Speaker B: 01:15:31

Right. So. But that's why there is nothing set out in the law about the data protection law about this. It just says keep the data secure, full stop.

Because then it entitles you whatever your business is. Yeah. So for me it's enough if I keep my laptop. I got a separate area on my laptop I do my business in.

I've got that password protected and then I've got all my paper files are upstairs in a lockable filing cabinet.

Robyn Banks: 01:15:57

Yeah.

Speaker B: 01:15:58

Because I'm sitting home and I've got other people in the house. But if you've got, if you do password protect stuff. Okay. Make sure that somebody in your family has access to that password.

Robyn Banks: 01:16:12

Absolutely. My children are my key holders.

Speaker B: 01:16:15

Yeah, exactly. Because if you've got. But people don't think about it, right. It's my business and nothing to do with the family.

No, but it's like with the Lions work. The lion's work is voluntary, but a lot of it we do on online, we do emails to people, we. We publish things on Facebook, etc. Etc.

We've had situations where the person that does that in the club has suddenly passed away and nobody can access their computer to get to any of the information.

Robyn Banks: 01:16:41

This is it, isn't it?

Speaker B: 01:16:42

Is it legal?

So we need to be able to get to the information you need to protect against accidental loss, that is somebody that shouldn't have access to it, getting a hold of it. But equally in the same way that you should be able to get into your booking reference system and download the information that you want.

It's the same thing that somebody should be able to get into your system should anything happen to you.

Robyn Banks: 01:17:06

And it's like one of the things that kind of popped up into my mind when you were talking, when you were talking about the requirements. And if you, if a client wants to ask for information is that, you know, we have to.

Can you actually, and you hopefully will know the answer to this statutory requirements of time to keep that data for.

Speaker B: 01:17:26

Right. The answer is no, I don't.

Robyn Banks: 01:17:29

Because. All right, my generic answer to everything is always seven years.

Speaker B: 01:17:34

Yeah. Let me, let me explain why I said that. Right. So all the law says is keep no longer than is necessary, full stop. That's all.

Robyn Banks: 01:17:45

Okay, so then for us, insurance wise. Yeah.

Speaker B: 01:17:48

So why it says that is because I have to keep my tax information for six years plus the current year according to law. Okay. If I had an employee, it would be certain length of time after they've left because they can make grievance in that time.

So that is dictating by HR law. Insurances in different industries do place on it a different timeline.

If you are a pupil, if you are a pupil at school, you cannot have your data erased by law. Okay? None of your data can be removed and that data stays in your school records until you reach the age of 25 by law.

Right now a lot of people don't know that that was new.

Robyn Banks: 01:18:33

But we have the same thing. If we treat a minor, we have to hold their information until they're 18 plus 7 years for insurance, 25.

Speaker B: 01:18:43

So that's why that's a legal requirement. That's a legal requirement within your industry that is setting your retention period.

Okay, so you were going to have different retention periods on different sets of data set.

Robyn Banks: 01:18:57

Yeah.

Speaker B: 01:18:57

Okay. Personal data is a plural term. So my name is one piece of personal data. My address is another piece of personal data.

My phone number is another piece of personal data. The fact I have diabetes is a piece of special category personal data. So you have this collection about somebody.

So when you have a booking form, every entry on that booking form is a separate piece of personal data and that's the way you have to look at it. So you break it down to look at it like that and then go right, how long do I need to keep that? How long do I need to keep that?

And when you're looking at person contact information, it's how long is it still going to be relevant after you no longer have contact with them? That's usually standardized to about six months.

Robyn Banks: 01:19:40

Really? That's short.

Speaker B: 01:19:41

Yeah, that's short.

So for contact information, because you can change your email very easily in that time, you can change your mobile phone number very easily in that time. So all that kind. So really about six months after you've had last contact with them on the contact information.

Robyn Banks: 01:19:56

Yeah.

Speaker B: 01:19:57

But you will need to keep a certain thing like their name to link it to the medical information because you've got to keep that longer, especially if they're reminder.

Robyn Banks: 01:20:05

So any and any treatment notes and stuff.

Speaker B: 01:20:08

Notes and stuff like that. So you, you need to keep the links there. But there'll be some information which you have to accept, may well change.

If you want to tidy up your system in your archives then. So especially if they're on paper records, you can get rid of whole sheets of paper and just get rid of it.

Robyn Banks: 01:20:24

Yeah, because this is what I was thinking is, and I know that I have got this experience is that in the last couple of years I started and stopped My home, salon, clinic thing that I got for whatever reason. But when I opened on the first time, the. And I did, I only opened for a few months, but I was using a different booking system now. I.

It was attached to a website. So I shut that website down and it wasn't until I reopened that I thought, oh, I could really do that information. And it.

And this is where the question is, is like. Because sometimes you might just stop using a system and start using another one like I've done.

So that data, I can now go back to that company and say, can I have my data, please? And they have to give it to me.

But also, if you like, say you, I don't know, you got a business or whatever and you've got 3,000 clients sat on a system, do what do you still have? Because you're still the data controller even though that business has stopped. That would be correct, wouldn't it?

So therefore you still have a responsibility for the data that that booking system company hold and anything that's. So. So is it something that if you're, if you are going to close down your business that then you just go, can I have a file dump, please?

And just have that whole lot put down into a CSV file that then you can put somewhere safe on a. Probably on a file disk thing, one of those like plugin disks that you can just put somewhere in a c.

Speaker B: 01:21:51

Stick it on a. Stick it on a portable hard drive. They're now a lot cheaper than they used to be. They hold an awful lot of information. Stick it on there.

Because you've got to keep it for that period of time after the business is no longer in, in. In sync. So you've still got to keep. So if you go out of business today, you're still going to have to hold the accounts information until.

Where are we?: 2025

Yeah, six years plus the current year. So you can't just get rid of it, you've got to do something with it. But yeah, I would suggest exactly what you're suggesting.

So if you are dissolving your business, you've got all that client information. I would get it off of the booking system because you don't know how long they're going to keep it for. Get it and you're responsible for the data.

Get it down there, get them to download it into a File that you can then just put onto a portable hard drive and then just leave it.

Robyn Banks: 01:22:55

And do we have to.

Just by nature then if once we've downloaded that and we've shut that account with the booking system, do we have a responsibility to ensure they've deleted that data once we've taken what we want? Just kind of going down that road a bit further.

Speaker B: 01:23:11

No.

Robyn Banks: 01:23:14

I know.

It just was sort of crossed my mind just thinking if we actually stop using a company and move, what then happens to the historic data that, that company you've left?

Speaker B: 01:23:22

Well, they should only be keeping it for so long anyway because they should be doing backup.

Robyn Banks: 01:23:26

Yeah.

Speaker B: 01:23:27

Okay. Those backups should, should be continually being overwritten.

So if they have got, if they've got Salon A, Salon B and Salon C on the system every week, every month they'll do a backup. But that backup will be of Salon A, Salon B and Salon C sit data. Right. So it'll be one backup for the whole lot.

What will happen then is it will be in sections on their backup so that they can access it if they need to. Because Salon B's system stopped working, for example. So if they have to reboot it up from the backup, they can go in and get that section.

This is how I understand it. All right. Because remember I'm a techie folk. So if then Salon C goes out of business.

Robyn Banks: 01:24:11

Yeah.

Speaker B: 01:24:11

San on C will download their data from the booking system, get the booking system to send them a copy of the data. So you can then keep it separately for that. Because you're going to not use the booking system anymore. So you're going to pay them anything, are you?

Robyn Banks: 01:24:24

No, no.

Speaker B: 01:24:25

The next time they do a backup they'll only back up Salon A and Salon B's data.

Robyn Banks: 01:24:30

Yeah.

Speaker B: 01:24:30

Because Salon C is not paying them for that anymore.

Robyn Banks: 01:24:32

Yeah.

Speaker B: 01:24:34

So it'll be lost.

Robyn Banks: 01:24:35

Yeah.

Speaker B: 01:24:36

So it'll only be there as long as the backup is there. This is it.

Robyn Banks: 01:24:39

And they wouldn't. Yeah, this is it. Most companies only keep their backups for like so long anyway, don't they?

Speaker B: 01:24:43

Because once, especially if they are doing that kind of system, they will be overwriting them every other week because they will then be.

You'll be updating them every week because you'll have customers coming in and we're all going to be in top tier three paying the 2,900 pounds because we're going to have so many employees and we're all going to go off on holiday, you know, with the proceeds. But that's the way it Works. So, yes, you don't have to go back to them and say, have you deleted that data?

The only time that you would actually look at deleting data is if somebody comes and asks you to be forgotten, asks for their data to be deleted. Right. Now, if you no longer have a use for it, then you should delete it.

Robyn Banks: 01:25:27

Yeah.

Speaker B: 01:25:27

Okay.

Robyn Banks: 01:25:28

Potentially. Because we're providing. Yeah, because we're providing services. We've got medical, not medical. We've got treatment notes that they.

They might say, today I want you to delete all my data. But would we.

Well, I think we would still have a legal responsibility so that if there was a potential, I don't know, say in a year's time, they dropped dead and it could be proven that you were responsible for it and you've deleted data. So, yeah, so we'd have. So we would still have reason to keep it, but we could delete their.

Speaker B: 01:25:59

This really came in. This did exist before, but not in the same way. So with gdpr, they brought in, actually detailed out this right to be forgotten. Okay.

Which is effectively a right to erasure my data. It is not what we call an automatic right. Okay. So to have access to our data, if we choose to have it, is an automatic right. You can't refuse it.

Yeah. If. To at least look, we might not give them everything, but you know, to at least look. One of the other rights is.

So data portability is another right to have our data moved across. The right to be forgotten is the right to ask to be forgotten.

Now this really comes into play with those lovely PPI phone calls that we were all getting.

Robyn Banks: 01:26:50

Yes.

Speaker B: 01:26:51

Right. So somebody phones you up. Now there's two things here. And I'm going to come on to AI in a minute.

Robyn Banks: 01:26:57

Okay. Yeah, because that's my, my next thing is going to go.

Speaker B: 01:27:00

That's your next thing. So. But this, this will, this will go nicely into that. Right.

But we'll deal with this one first, which is you got those phone calls and my husband was brilliant at it. Right. So, sir, I understand you had a road traffic accident. My husband is a coach driver by profession. Okay. Did I. Okay. What can I do for you?

Well, we pay out anything that's happened in a road traffic collision. Fantastic. Do you pay for insomnia? Yes, sir, we do. Fantastic. So you had this car. Did I? I don't remember. But you do pay out for insomnia, don't you?

Yeah. So this was. This would go on for about 10 minutes before they realized that he was just leading them up the garden park.

But when you get a call like that, your first question is, could you just tell me where you've got that information from, please? Where you got the data from?

Robyn Banks: 01:27:59

All right, yeah.

Speaker B: 01:28:00

If they say I don't have to tell you that, the answer is, well, I'm sorry, but under UK data protection legislation. Yes, you do. If you want to make a complaint. Oh, I don't have to give you my name. I'm sorry, but under data protection legislation.

UK data protection legislation. Yes, you don't. Because I have the right to tell you so. To complain about you personally.

And if I don't like the way you're handling my data, and by the way, I'm getting very angry at this call, so that's unwarranted, substantial distress. I sue you personally. So, yeah, I need to know who you are.

Robyn Banks: 01:28:36

Yeah. And then all of a sudden, the line gets cut off.

Speaker B: 01:28:39

The line gets cut off or you get put through to a supervisor. I normally get put through to a supervisor's just suspiciously enough because I start quoting this stuff left, right and center.

Robyn Banks: 01:28:48

Yeah.

Speaker B: 01:28:49

But if it is like a cold call like that. Where did you get my data from? Oh, I got it. And Vodafone were the worst. They sell your data left, right and center. Right.

Robyn Banks: 01:28:59

I was only there for two.

Speaker B: 01:29:00

It's in the fine print of the contract. I'm not with them anymore. But this used to irritate the pants off me. I got it from Vodafone. Right. Well, can you please delete my data?

Because I haven't given them permission to do that.

Robyn Banks: 01:29:10

Yeah.

Speaker B: 01:29:10

Now I have the right then, to ask my data to be deleted, but they will need to keep on there a record of me and my number.

Robyn Banks: 01:29:19

Yeah.

Speaker B: 01:29:19

So that they don't call me again.

Robyn Banks: 01:29:21

Yeah.

Speaker B: 01:29:22

Because if you've asked for that and they call you again, then you can sue them because they're misusing your data. Yeah.

Robyn Banks: 01:29:30

Like the old tps, like telephone preference and fax.

Speaker B: 01:29:33

Yeah, exactly. That's run by the ico. Yeah, yeah, that's now running.

Robyn Banks: 01:29:38

I always used to do TPS and mps.

Speaker B: 01:29:41

Always. Yeah. So, yeah, so that's the kind of thing you're looking for. So that's one tip.

Now, I'm now going to move on to AI, because this reads all those on really nicely. Because they're doing it now with a lot of calls that actually are AI, and you can't tell that AI.

They sound like a perfectly reasonable human being being on the end of the phone.

Robyn Banks: 01:30:00

Wow. This is it. Because we know that AI can talk like us.

Speaker B: 01:30:05

So I had a situation. I'm waiting to go into hospital for an operation and I had a sit. I'm waiting for a phone call from the hospital. Right. It's going to be months yet.

But I was expecting it to be months. But about three weeks ago, I got a phone call. I picked up the phone and the lady said, is this Robin Banks? Now, I know not to say yes.

Robyn Banks: 01:30:25

Yeah, absolutely.

Speaker B: 01:30:26

Because I don't know if that's AI. If that's AI, they're looking for yes, no answers so that they can then use that to then defraud you.

Robyn Banks: 01:30:36

Yeah, potentially. Yeah.

Speaker B: 01:30:37

All right. So that's something to be aware of. So I said, hello, how can I help you? Is this Robin Banks? I'm not answering that question. How can I help you?

Where are you calling from? And she said, I'm calling from Southend Hospital. Oh, well, in that case, yes, I am.

Robyn Banks: 01:30:54

Yeah.

Speaker B: 01:30:54

I said. And she went, you were being a bit off. And I said, yes, because I had no way of knowing whether you were AI or not.

Robyn Banks: 01:31:00

Yeah. Oh.

Speaker B: 01:31:01

She said, I hadn't thought of that. So people haven't necessarily thought about that, but that's what you've got to be careful of. Artificial intelligence is getting more and more.

And if anybody's seen Mission Impossible Dead Threatening, part one, that is today. Okay, yeah. That is not fiction. That is happening. It is indeed, and that is what's scary about it.

Robyn Banks: 01:31:22

As we were saying on our sort of like, pre recording chat, AI is just everywhere. And. And I know, and I bang on a lot. I've been talking about AI a lot over this series and I've spoken.

I've mentioned the Mogao Dat podcast interview with Stephen Bartlett so many times because he was like Google's AI God. And. And Mo's view on where AI is going to be this year is actually quite terrifying and it's already coming true.

And I think this is why there's so many conversations about AI. He was saying in.

I saw him at an event in: 2023

And it is, in one way, it's the most amazing. But we've big caveats of be very careful.

Speaker B: 01:32:21

Very careful. So I'm not saying don't use AI. Okay. Use AI by all means. Do not just use it to do a search.

Get a selection of text, pick up that text and put it straight into your system. Unless you know so your marketing system.

So unless you know that every bit of information in that ALA is correct, is not subject to copyright, is not subject to intellectual property and is not subject to privacy law. Because there are legal cases going on where privacy law has been broken by AI. So you can, you need to make sure that that's the case.

Use it for ideas. By all means. If you are a non native English speaker, use it for translations. But again, be careful. Okay. So I am a linguist.

You're going to love this one. I'm a linguist and I learned to speak Russian at school. Just as Google Translator was coming into play. So to do it.

And that effectively is an artificial intelligence tool.

Robyn Banks: 01:33:28

Yeah.

Speaker B: 01:33:29

What they did was they put into it out of sight, out of mind in English. Got it to translate it into Russian. The Russian words were fine and actually came out correct.

When they translated it back from the Russian to the English, it said invisible idiot.

Robyn Banks: 01:33:47

Wow.

Speaker B: 01:33:50

Okay. Think about it. Out of sight equals invisible. Out of mind technically is the definition of an idiot.

Robyn Banks: 01:33:58

Yeah.

Speaker B: 01:34:00

So be careful because if you are doing it for translation, the words might mean something different.

Robyn Banks: 01:34:06

Yeah.

Speaker B: 01:34:07

Okay. Now so use the tool to do that if you. Because you don't know the text it's giving you.

So if you put a question into Google, it will come up and it will say that it's an AI thing.

Robyn Banks: 01:34:18

Yeah.

Speaker B: 01:34:18

Because they have to identify it. Use that by all means for ideas.

Don't use the wording as it gives you because you could be breaking the law without even realizing that's what you're doing. So it's an effective tool, but use it as a tool.

Robyn Banks: 01:34:30

Yeah. Heavy lifting and then you do all the flouncy bits and make it look like you. Because this is funny.

Actually I was reading something this morning from somebody that. Whose group I mean. And she was saying she spent.

Yesterday she decided to sit down and write a new course and within the space of four hours she'd had the thought and she'd literally written it out herself and got to the point, uploaded it, done everything and she had the whole process done in X number of of hours. Now for the last year she's been doing that with the assistance of AI because you can. And why and to a degree, why wouldn't you save all that time?

But she was saying how amazing it was to actually be in the flow of creation and doing all that stuff that our brains are there to do. And, and there was all these people going oh my God, like yeah, thank you. She was like, you know, I give you permission to do the same.

And it's so important, isn't it that a. We do use our brains and we do make it work but we do have to recognize that there are elements to AI that do breach so many.

And it is like you say IP and copy like the copyright stuff. There's just. And, and also like privacy law. If you're taking someone's information. Where. Where is that coming from? And there's. I don't know if you.

I mean I discovered this last week. I've just been in contact and he's coming on the podcast soon. A guy local to me that I met a local networking who isn't.

He refers to himself as an AI architect and he does, he. He creates AI workflows. I mean it is just, he just blows my mind. I can't wait to have a conversation with podcast.

But we were chatting about how that all summer break. I've lost it completely. I was going to say now but he was the. Yes, we. So he's going to come on talk about AI no gone.

Speaker B: 01:36:11

But he does a really interesting point. He can actually make that AI work. He can, he can go to.

So for example, as I said to you, I do a lot of stuff in lines and I do data protection for lions and I'm actually doing it internationally. Just written my first ever international agreement. So yeah, and for a completely non legal person it's like yes, because the legal guy's gone.

You've got it spot on, Robin, Go. But there is a guy in the States who has built and using AI, he's built a website. Right.

And, and the idea is that we can take the information from our database system, just copy and paste the information about something we've done, put it into this tool and AI will write us a press release. So you can either go to local and it will tell us where our local press media outlets are even in this country.

It'll do it for a Facebook post or a TikTok post because it will use different language to do it, but it uses the information we've given it. That's fine, that's not a problem. When he was building it, he put in a hundred different pieces of information to see what chat.

When he was training the chat GBT to do it, he put in 100 pieces of information and when he got the results back from it, 96 of them broke the law. Right. Now that is an incredible figure. This is why we don't use what it gives us unless we've given it these.

So if we give it the information and it manipulates it.

So if you're lady that was doing a course, if you put in the information that you want to go into the course and you ask it to do it in a certain way, you can, you're giving it the information and you're, you're not asking it to go and collect it from the Internet. It's when it goes and collects it from the Internet, you've got to be careful.

Robyn Banks: 01:37:55

That's it. Because I've remembered what it was, I was gonna say now. Menopausal moment. So.

Yeah, but what I don't know if you've noticed on it is on Chat GPT because after I went off and found this other thing, I then discovered that Chat GPT does it as well. And you can now switch on or off the globe on Chat GPT.

And my understanding, because I, I was having met with this guy last week, I came home and I was relaying to my son, oh, mind blowing stuff. Oh my goodness me. Because he's like 27 and he uses a lot of. With 27. Yeah.

And I was saying to him and he went, have you not heard about Deep Seek, Mom? I was like, no.

Speaker B: 01:38:33

So, oh yeah, I heard about Deep Secret.

Robyn Banks: 01:38:36

It's mind blowing. I was just like, I literally was messaging people going, have you seen this?

But then did a bit more research on Deep sick think, you know, quite pleased immediately that I didn't put lots of information in there because it is from our lovely friends in the People's Republic of China. And so immediately you read like jumping up, but it is so clever. But then I discovered it. The chat GPT's got the same little globe thing on.

And what it does is it does this deep thinking and it actually, if you see it shows you its thought process.

You can put, I think, on Chat GPT you've got the globe to go out into the wide web and then you've got this light bulb on Chat GPT which then gives you a little screen, it goes down and it tells you how long it's thinking for and it takes you through its thought processes and where it is going to find that information and how you might want to use it. Oh my goodness me.

Speaker B: 01:39:30

Which is fantastic because you then know where the information's come from. Remember in data protection you have to, people have to be able to tell you where they got your information from.

Robyn Banks: 01:39:41

Yeah, it is amazing. And I, and on what I. I mean, what I've done now. And there's also this other wonderful thing called Notebook ln, which is a private.

We were talking about this earlier. It is allegedly boxed off. Google AI that is your own personal AI space and that they can't like your own personal chatbot Chat GPT thing.

I'm so technical. But that is not open to other GPTs coming in and taking your information. It's supposed to be a sealed system.

But, but on ChatGPT, because I didn't know about Notebook then, I have put every one of my blogs because they're out there on public domain anyway. So I put all of my blogs, all of my resources that I've ever created that are out in a public domain and put them into my space and I've.

I've called it Resource bank in Chat GPT.

So now whenever I ask Chat GPT to do anything and ask it to write a blog, it comes back in my voice using my words and using all of the, the resources and the data that it's got to check, which is such a better way of doing it. And I don't know if it's infallible, but it makes it much more me.

And like now if I ask it to write a blog, it writes it in my voice and I don't and I can just look at it and go, actually, I really could have written that.

Speaker B: 01:40:56

Yeah, as long as you can do that. And then, and this is how clever the stuff is.

And I'm not, as I say, I'm not saying I won't use it because I'm a technophobe, but, you know, I'm not going to stop people from using it by any means. I have a general rule of thumb in my business. If you ask me a question, the answer will never be no.

The answer might be, you can't do it like that, or we need to find another way around it. Like with the consent stuff.

If you can't get the information out of sat on a, then get your client to, to give them consent to give it to you, but so find another way around it. So I'm not saying don't use AI.

All I'm saying is please be aware that there are other laws that it very easily breaks if you do not check it out when it gives you the information back. Do not just lift it and use it.

Robyn Banks: 01:41:44

And I know, I mean, because I know there's a few things in development I've Just I've got someone I know that is created a massive In Bono. Actually three. I've got three.

Three people that I know personally at the moment that are creating AI driven products that like data, like tech products, like software as a service kind of stuff for the salon industry that is, has AI in its foundation. So is there a risk? I mean, because obviously because AI is holding that information.

So do we need to make checks that that information is then held securely within their system if they're using AI? Because if it's in their system, a GPT could come in and utilize that in some way.

Speaker B: 01:42:23

Exactly. Yeah, exactly. So anything that's web based.

Anything that's web based, as I used to tell my stepchildren when they were at school and again that's an awful lot of years ago. If you wouldn't stick it on a big double sheet down the front of your house, then don't stick it on Facebook or Internet anywhere. All right.

Public facing stuff. If it's out there in the public domain, that's fair game.

Robyn Banks: 01:42:48

Yeah.

Speaker B: 01:42:49

All right. So as you say, the number of times I've said I'm robbing banks, but I'm not a bank robber. That's out in the public domain and that's a fact.

I haven't got a problem with that. If it picks me up and says, well, she does rob banks, no, I can prove I don't. So that's fine. That's nighttime work anyway, not the day job.

Robyn Banks: 01:43:08

Yeah, absolutely. With your mask on.

Speaker B: 01:43:10

Yeah, exactly. So and, and being a robin, of course I've got my mask superhero. So. But it's, it's using that kind of stuff.

So if you're down in the public domain, it's fair game.

Robyn Banks: 01:43:22

Yeah. All right, okay.

Speaker B: 01:43:25

It's not a breach to use it, but you have to be aware that it may be finding stuff that it's found through other nefarious means because it just searches the world Wide web, it doesn't differentiate between what's good and what's bad and that's what you need to be careful of. So it may take time to check this stuff, but it's worth doing to make sure you don't end up in court.

Robyn Banks: 01:43:46

Yeah, wonderful.

So as a very quick recap, because I think the thing and I really hope that for our conversation because I mean, I found it informative and I really hope that sort of having a smiley face talking about GDPR kind of lightens it up a little bit because, because it is, you know, it, I mean, isn't Something we can really have a laugh about. But there are parts of it that can be quite light and you. It. You know, there are. I mean, I don't know. I don't know how many pages the actual law is.

I would imagine it's quite a big law that you've had to go through. How many, how many pages is the GDPR Act? I bet you you probably have some protection.

Speaker B: 01:44:26

Act: 2018

The previous law, the: 1988

Robyn Banks: 01:44:49

Yeah.

Speaker B: 01:44:50

That act actually is about 3/4 of a centimeter thick.

Robyn Banks: 01:44:56

Yes.

Speaker B: 01:44:58

Then you've got the guidance notes to go with it. So it's the ICO guidance notes that fills a room. I mean, there's just so much.

Robyn Banks: 01:45:05

I mean, I have to say whenever anyone starts talking about it and you start getting speculative opinion, because that's what happens. Whenever anyone mentions GDPR is my, my go to. Is always go and speak to the ICO phone, the helpline, ask them to help you because they. Their help.

I mean, I've always found their helpline to be very useful whenever I've needed to do anything. And I think as well, because obviously they can come to you and, and use your services, but if for any reason they can't, they have.

They don't have the budget for that and they need to do this themselves. The ICO helpline, they are nice people, aren't they? I've never, I've never had a nasty person and that.

Speaker B: 01:45:38

But just remember that you've got to tell them everything. Don't think they will.

Don't let them assume anything, because that's like I said, when you do, if you find them about the registration, they will assume that you have already decided you are not processing electronically.

Robyn Banks: 01:45:53

Yeah.

Speaker B: 01:45:53

And they won't ask you that question. So you may say to you, ah, but you process data for this reason, this reason and this reason you don't need to register.

Robyn Banks: 01:46:02

Yeah.

Speaker B: 01:46:03

Right. Well, that would be true if you only did it on paper.

Robyn Banks: 01:46:06

Yeah.

Speaker B: 01:46:07

That's wiped out automatically by anything you do electronically. And as I say, even answering the phone is electronic processing.

Robyn Banks: 01:46:14

Yeah.

Speaker B: 01:46:15

So you need, what you need to do is look at it, don't worry about the law. Break down what you need to have in place and then. And break down what data you've got. Okay.

But just make sure that you've got that documentation in place. If you want to have a chat with me, it's free of charge. I don't charge unless I start actually doing new stuff for you.

You know, I'm not charging sue for today, for example, so, you know, that kind of stuff. And we've had all sorts of issues going on, but it is a case of doing it like that.

And if you want me to check through what you've got, then I'm happy to do that too. And that is minimal cost, you know, that's not going to cost me a lot to do. I will not make you change stuff just to use my services.

Yeah, that I believe is unethical.

Robyn Banks: 01:47:04

It's just a good.

It's, I think, you know, and knowing that you're happy to review what they have already and it is, and maybe just point out, actually you could do some changes here and there, then, you know, it's something that they can then work towards, isn't it, and just, you know, do it as soon as they've got the funds available or whatever. Because especially for solopreneurs and they're like single mums and you know this.

Speaker B: 01:47:25

Exactly. And when we're looking at. It's a business cost. I am a business cost, you can do it through the business.

And if we need to do a payment scheme where you're paying me, I don't know, 60 pound a month or whatever, to make up the three months to make it 180 pounds or whatever it is that we end up being the charging, because, as I say, I'm not going to quote, because it depends on the actual business itself, but it's not going to be more than about 200, 250 quid. That's just not going to happen. But we can break that down into manageable payments for you as well. So you pay me on a payment scheme, that's it.

Robyn Banks: 01:47:57

And I think it's the nice thing with working with, you know, from one small business owner to another small business owner, or one solopreneur to another solopreneur, is that we all get that, like, financial stuff gets in the way of compliance, because it seems like something that big companies have to worry about and we don't have to worry about it. But, you know, the fact that we can make things more manage or you can make things more manageable for people, because it is important.

And I think, you know, the worst thing with anything that where the government involved is you don't want to end up on the wrong side of it, literally.

Speaker B: 01:48:28

Exactly. And you've got an insurance policy in me.

Robyn Banks: 01:48:31

Yeah, absolutely. So how can people find you? Where do, where do. Where can they get in contact with you?

Speaker B: 01:48:39

Right, so you've got my website which has got my contact details on www.adavista.ad for Delta A Viva Victor I S T for Tango a dot com.

Robyn Banks: 01:48:52

Wonderful.

Speaker B: 01:48:53

Okay.

Robyn Banks: 01:48:53

And all your information's on there?

Speaker B: 01:48:55

All my information's on there. Or you can email me. Robin with a Y. Very proud of my wife. Makes me a girl.

So Robin small r@adavista.com Ah, so that's the easiest way to get hold of me. I am on Facebook but I don't tend to use my Facebook page much because I'm too busy doing stuff for people.

Robyn Banks: 01:49:19

Yeah. Which is good.

Speaker B: 01:49:20

And so, yeah, the best way to get hold of me is email me because I'm always off out doing different pieces and stuff.

And like lions, I've got to go to, to Germany next week to, to sort out their data protection for lions because they're not doing it in the right kind of way and they're all up in arms about.

Robyn Banks: 01:49:35

Yes.

Speaker B: 01:49:36

A long story. But yeah, they're going to use my international agreement so I've got to take that with me for them to have a look at. But it's.

So I'm all off, awful out of the place and I am going on holiday at the beginning of March because I'm going to celebrate my 60th birthday in Barbados in.

Robyn Banks: 01:49:51

Oh, nice Barbados. Very nice. I know my husband.

Speaker B: 01:49:54

I'm not paying for that. Out of the business that's come completely. Yeah. It's not because I've robbed any banks.

Robyn Banks: 01:50:03

No, no, no.

Speaker B: 01:50:04

That we built up so that we could just do something really nice with it and we're doing something really nice. We're going for.

Robyn Banks: 01:50:09

Away from every week, so that'd be so nice.

So I've been asking everybody on this, on this season for a quote that they love, that they either they either have done themselves or that they just, they live their lives by kind of thing. So the quote you gave me was about no question, there's no stupid questions.

And I do think that that's so apt for what you do because it is complex and we planned it this.

Speaker B: 01:50:33

Morning because we, you know, half an hour chats turned into two hours, you know.

Robyn Banks: 01:50:37

I know, but, but, you know, and this, this, this season, like I always try, always used to try and keep it about an hour. But this season we've been, we have been doing quite a lot of complex subjects.

And the joy of podcast is hitting the pause button and you can just like get out the car or get out wherever you are and just pick it up again later. And I think this is, and I do think this is a podcast.

People are going to be able to hit the pause button on because you're going to need to go back and listen to bits again and get. Actually, no, I need.

That really applies to my business or actually, you know, like that thing we were talking about when I was just like the cookie thing, like the cookie audit.

Speaker B: 01:51:11

Who knew that?

Robyn Banks: 01:51:12

I didn't. And I, I do like to think that I'm relatively in the know on stuff like this. And it was like, wow.

So, yeah, there's so many takeaways on this podcast episode. So thank you so much for coming on, Robin, because it has been really. Oh, I was thinking, sorry I've thrown.

Speaker B: 01:51:26

So much information at you, but no, I can't.

Robyn Banks: 01:51:30

Yeah, absolutely.

But it's why I wanted to get you on, because we do see this stuff popping up all over the place on their different salon groups online, and it is important because it is law, it is compliance, and we have to make sure we get it right. And, and, and there aren't many of many people around like you, unless they're solicitors and, and they're going to charge.

Speaker B: 01:51:52

You thousands of pounds just for you.

Robyn Banks: 01:51:53

Before you even open the door. It's like £250.

And then everything they do within that, they're either going to charge you for a generic document which, like you say, may not suit your business, or if they then write one personally for you, you're looking at like 250 to 400 pounds an hour. So, you know, and it isn't necessary because all it is is an interpretation of the law.

It isn't actually writing the law or enacting the law in any way like that. It just needs to be the interpretation of the law and how you use it in your business.

Speaker B: 01:52:21

And that won't necessarily fit your business and it won't necessarily meet the requirements of the ico and it's it. So everything I write, equipment you use, anything I write, you're covered by my professional indemnity insurance.

If they ever turn around and say that's wrong, they are aware of me, they know what I do. When I was going to set up by myself, I already knew them because of the work I'd done in the Foreign Office.

So I phoned them up and said, look, this is what I'm thinking of doing. And they went, brilliant. You're going to save us so much work.

Robyn Banks: 01:52:45

Yeah, absolutely. This is it. But. And I think it is, it's just, it's a really, really helpful service that, you know, the. And like we were saying.

Because I was saying she, wasn't I. If you help many sell on businesses and you were like, no, not at the moment. Because I just don't think people realize you're there.

So hopefully this will raise a bit of awareness of a gdpr. Shouldn't be scary, isn't scary, doesn't need to be scary. And like. And here's Robin, who can help you sort out all of your GDPR challenges.

Yeah, yeah.

Speaker B: 01:53:16

And also any questions that you have so and so that you can use it. This stuff is incredibly empowering. Incredibly empowering.

Robyn Banks: 01:53:24

So, yes, wonderful.

So, and actually what I might, I'm going to get you to do, actually, because I've got a couple of places where I can get blogs and I might get you to do a blog that we can use in a couple of places in the industry because I know they're accepting blogs.

So then we can have something in writing from Robin and just sort of like put you out there a bit more just because I think it takes the edge off that fear and that worry, doesn't it? And yeah, we don't have to be having anxiety moments over gdpr. It's not necessary.

Speaker B: 01:53:51

And once it's in place, it's in place.

You know, if you, if you write it where you've got, where you list out the data that you use, you've got to keep checking it to make sure you're not, you haven't missed anything off the list. Because if you leave something off the list, then you could be processing data illegally. Right. This is all the connotations of it.

So the thing to do is just not go down that line in the first place. But it also makes things a lot more concise and short, which is what they want. And that's what anybody wants to do.

They don't want to be reading, you know, like you said, you can park the pass button on this. Who wants to get two pages into a privacy notice and think, you know what? I can't be dealing with the rest of this now. I pause it.

You never go back to it.

Robyn Banks: 01:54:26

No. And yeah. And this will still be there, won't it?

e're recording it in February: 2025

But you know, at the point that Robin and I recognize building this every, all the information is current and up.

Speaker B: 01:54:46

To date and it took them 20 years last time. There's no reason why it's not going.

Robyn Banks: 01:54:51

To happen now, is it? I don't, I don't think the world will cope with another GDPR update at the moment.

Speaker B: 01:54:58

It was just an update. It. All it did was formalize things a little bit more. It did not change the basic concepts. They were exactly the same before that.

same concepts in place since: 1984

Robyn Banks: 01:55:10

It's mad, isn't it? And yet everyone just went into complete free. But that, but that's the joy of social media, isn't it?

Because everyone went on the groups and on forums and, and everyone had a meltdown because someone else went, oh my God, I'm a bit, I don't know if I've got this right. And then everyone else went, I don't know if I've got this right.

Speaker B: 01:55:25

But that's also the big thing with that was that every solicitor in the land was saying, you have to have everybody's consent to process their data and everybody's gonna. People's consent. I'm gonna have to get rid of everything. And it was absolutely crackers, you know? Yeah, I mean, I know I sent out emails.

Robyn Banks: 01:55:40

I sent emails out to my whole client list and. Yeah. And said to them. Because that's what we were told.

Speaker B: 01:55:47

Yeah.

Robyn Banks: 01:55:49

And I then deleted.

Speaker B: 01:55:52

There you go. Now you got us all that data. Now the other thing is that that probably could have been useful when you restarted the business up again.

The, the, the thing about that is that if you send out an email like that and you do not get a response, that is a withdrawal of consent.

Robyn Banks: 01:56:11

Yeah.

Speaker B: 01:56:11

And you can't send a second email saying, are you going to respond to my first email? That is illegal because you're then forcing my consent.

Robyn Banks: 01:56:20

Yeah, that's it.

Speaker B: 01:56:23

ing to spend a lot of time in: 2018

You do realize this is illegal. End of. But if you send something like that to somebody and they do not respond, they are withdrawing consent to receive anything ever more from you.

Robyn Banks: 01:56:44

dn't, especially after, after: 2018

So is there if, if you have not heard from a client, is there a timeline wherein you then do have to remove them from your system and stop communicating to them?

Speaker B: 01:57:11

There is not anything in the system, in the legislation that says how long you keep data for.

Robyn Banks: 01:57:17

Okay, so we can just put them.

Speaker B: 01:57:19

On our system if you're going to go back to them. Right.

So if you have a retention policy, it's policy that says after four years if I haven't heard from them I'm going to delete it, then that's fine. If they come back to you five years after you last heard from them and they say you've got all my data, all you have to do is say no.

Unfortunately, my data retention policy is such that I only keep the data for four years after my last contact with you. So I don't have that information. Also in that five year period the information will have.

May have changed so radically that I need to collect it all again.

Robyn Banks: 01:57:56

Yeah, we don't have to remove them after a year because I think I, my.

I think that in industry there's a feeling that we kind of, if we don't hear from someone after six months, a year, two years, and it varies, whoever you speak to, that we then have to clear them from our systems. But we don't.

Speaker B: 01:58:14

That's industry. That's not data protection rules.

Robyn Banks: 01:58:17

Yeah, that's it. That's just everybody. But I think it's because everybody's kind of assumed.

I think there was, with all of the, the panic and the fear and everything around it, there was a lot of misinformation going around. Misinformation still sits there. So the legal standpoint of the, the law itself is that we can just hold that data and we can send to them. They.

And as long as they've got the right to unsubscribe.

Speaker B: 01:58:41

Yep, as long as they have the right to unsubscribe. Because you can unsubscribe at any time you want to to as an individual. As long as you can do that, then you are covering everything.

So that's where mailer like mailchimp are really good to use because they do that. They build that in automatically.

Robyn Banks: 01:58:55

Finished.

Speaker B: 01:58:56

Yeah. Even though they're American. So you can do that.

Robyn Banks: 01:58:59

Yeah.

Speaker B: 01:58:59

Oh no, this subject is, is it.

Robyn Banks: 01:59:02

Just goes on to see because I just keep having other little bits pop into my head that I know that people may question. Anyway, I think we should stop there because that is stays so I believe in that.

I mean, obviously we've had like weird things going on as well, haven't we me? But we have been talking for a very long time. So if you've got to the end of this podcast, congratulations. Well done.

And yes, you can have a Tufty badge, but if you're, if you're under the age of 50, you won't know what a Tufty badge is. Yeah, but, but thank you so much, Robin. We'll stay on and carry on having a chat.

But thank you so much, yeah, for coming on today and just really lifting the blinkers for everybody because it is a really, really important subject. So I'm going to hit the stop button. Record recording now. Thank you very much.

So, honestly me, Robin, we've just carried on talking about another half an hour. I do think that that could have just gone on forever.

But it is a really, really valuable conversation and it is one that I hope you dip in and out of a lot because it's something I think that all of us need to bear in mind.

Gdpr, when it came in, like we were saying, was a very scary thing and everybody, a lot of people put their heads in the sand at the time and were terrified what was going to happen. And it did turn out to be a bit of a blip and not the terrible mountain that everyone thought it was going to be.

But it is still relevant and it is still law and we do still have to comply. And I think Robin gives you a really, really easy way to access that information.

And just as a, as a heads up, I've just given Robin my two websites and she's now going to go off and have a check and see if my privacy policy work or my privacy notice is, is okay, which I'm really hoping it is. I'm actually quite nervous.

So I'm going to come back and feedback with that and let you know what happens and see if I've got to make any changes because I may have to make some changes, but we will see.

Anyway, thank you so much for tuning in and, and I, I, as I say, thank you for getting to the end of this if you got to the end of it, and I hope that you found the information useful. So I will see you next time. And that's it. Bye for now. Is your salon delivering the exceptional client.

Speaker B: 02:01:11

Journey you've always envisioned.

Robyn Banks: 02:01:13

The Salon Inspector, led by industry expert.

Speaker B: 02:01:15

Sue Davies, is here to help you.

Robyn Banks: 02:01:18

Elevate every step of the client experience. From the moment clients discover your salon online to the ease of booking and the clarity of your service offerings, every detail counts.

The Salon Inspector's Client Experience Audit offers.

Speaker B: 02:01:32

A digital mystery shop of your business.

Robyn Banks: 02:01:34

Featuring a thorough review of your branding, consistency, online presence and client communication. Sue assesses the touch points you've created to ensure a seamless and memorable experience that keeps clients coming back again and.

Speaker B: 02:01:48

Again ready to transform your salon's client journey. Visit su-davies.com to schedule your audit today.

Robyn Banks: 02:01:57

The Salon Inspector Turning Good Experiences into Great Ones thank you for listening to inspiring salon professionals.

If you've enjoyed the podcast, please do subscribe, leave a review and don't forget, share with your fellow industry professionals and other business owners that you think may enjoy the show. Link Links and further information can be found on the Show Notes or on my website, www.sue-davies.com.

all links and further information can be found in the Show Notes and there's also now the option to support the podcast through Buy Me a Coffee. The links for that you can find in the Show Notes. Thanks for listening. See you next time.