GDPR stands for ‘General Data Protection Regulation’ and is a new EU law. Once in force, it will give individuals greater control over their own personal data. Regardless of the UK’s plans to leave the EU next year, this will still be a legal requirement for all organisations.
The new regulations don’t come into force until 25th May. However, there are plenty of things you can do now to ensure you’re well on your way to becoming “GDPR ready” by the appointed deadline.
Step 1: Carry out a data audit
One of the most important things you can do now is carry out an audit of all the personal data you hold on children, parents and staff members. As part of your audit, record where the information came from and who can access it.
Consider the following:
- What data do you have? – Remember, GDPR is only concerned with personal data such as names, addresses, digital images and health information.
- How is it stored? – Think of how your sensitive data is kept secure.
- Who do you share data with? – Examples include HMRC, family members and other settings.
- What do you hold the data for? – Examples include safeguarding, billing and communication with parents.
Your data audit will need to cover the information you hold both digitally and on paper. Any personal data which is collected but does not serve a clear and functional purpose will need to be kept to a minimum.
Step 2: Appoint a Data Protection Officer
Not every organisation will be required to appoint a Data Protection Officer as part of GDPR, but it’s good practice to have one. There are a few specific instances where you must do so, such as:
- If you’re a public authority, such as a maintained nursery or part of a maintained school or academy. If you’re part of a maintained school, there may already be a Data Protection Officer you can go to for guidance.
- If you carry out ‘large scale’ processing of special categories of data (or data relating to criminal convictions and offences). This is more likely to apply to you if you’re a pre-school or a nursery.
For reasons of potential conflicts of interest, the person you employ as your Data Protection Officer should not the person who runs your setting. However, they should report directly to the senior management team.
Step 3: Display privacy notices
The new regulations call for “concise, transparent, intelligible and easily accessible” privacy notices. A privacy notice lets parents or staff members know how information about them is recorded, used and stored.
You’ll need to display a privacy notice whenever consent is required as the lawful basis for processing personal data. Remember, personal data is classed as anything that can be used to identify a specific person, such as their name, address or date of birth.
If you use a registration form for new parents, you can include your privacy notice at the bottom of the form. You’ll need to include a signature or tick box to confirm that parents have read and understood the privacy notice.
Step 4: Keep staff informed
Your staff are likely to handle huge amounts of personal data every day, therefore it’s good for them to be aware of the new rules introduced by GDPR. They should be aware of how to keep personal data safe from a breach – this is when someone accidentally loses, destroys or gives unauthorised access to personal data. Having this knowledge will also be helpful in answering parents’ queries about how their data will be used and stored by your setting.
Step 5: Know the rights of individuals
The GDPR has granted a new set of rights which enables individuals to have greater access and control over their personal data. The ones which will most likely affect your childcare business are:
The right to access data
Parents can request access to the data you hold on them. Except in certain circumstances, such as if the request is excessive, you must not charge a fee for this. Under the new rules, if parents ask for this information, you must provide this to them within 1 month.
The right to rectification
Parents have the right to request that information about them or their child is amended if it’s incomplete or inaccurate. Again, there’s a time limit of 1 month for you to carry this out after it has been requested.
The right to be forgotten
Parents have the right to ask you to delete the data you hold on them or the child. There are instances, however, where you can refuse to do this. For example, the Statutory Framework for the Early Years Foundation stage states that “Records relating to individual children must be retained for a reasonable period of time after they have left the provision”. In this instance, other legislation overrides the new rights given to individuals under the GDPR.
The right to be informed
As transparency is a key part of the new rules, you must tell parents the reason for processing their or their child’s personal data. You also need to tell them how long you’ll hold that data for and who it will be shared with. This is called ‘privacy information’. You must provide privacy information to parents at the time you collect personal data from them.
The right to object to processing
Parents have the right to object to the processing of their personal data, for example, for the purposes of direct marketing. A good example of this is a request to be removed from your mailing list. In this instance, you must stop processing their personal data as soon you receive the request.
The right to data portability
Under the new rules, parents have the right to obtain, move and transfer their personal data (or their child’s) across different services. To comply with GDPR, you must provide this data in a structured, commonly used and machine-readable format. An example of this would be a CSV file.
Step 6: Put data sharing agreements in place
It’s good practice to have a data sharing agreement with everyone outside of your organisation with whom you share personal data. For example, when:
- Your local authority asks for a headcount form and you need to provide children’s addresses and dates of birth.
- A child is doing a split placement between you and another setting, and you’re sharing personal data or keeping joint records. This can often happen when a child’s care is split between a childminder and nursery.
- You have a training provider for an apprentice in your setting. If you’re supplying personal data about that apprentice, you need a data sharing agreement with the training provider.
A data sharing agreement will set out rules between two parties about sharing an individual’s personal data. It will cover such issues as what data is being shared and why, who will have access to it and what procedures you’ll follow if there’s a data breach.
A note on achieving compliance
Whilst it’s difficult at this stage to understand how the GDPR rules will be enforced, the penalties for non-compliance are severe. If your setting is found to be in breach of regulations after being investigated, you could face fines of up to 4% of your annual turnover. This is not of your profit – but your turnover! You could also face prosecution and ultimately imprisonment.
Of course, it will take time to review your current procedures for collecting data and to carry out an audit of what personal data you hold. It will take longer still to put new policies and notices in place to make sure you’re GDPR compliant. However, so long as you can evidence that you’re taking clear steps towards achieving compliance now, you’re on the right path.