Have you heard about the General Data Protection Regulation (GDPR)? There might have been whispers in the corridors, but few managers and owners know exactly what the new data protection laws will actually mean for their nursery.
So what are they? When do they come in? And what will you need to do to make sure you’re covered? Well, that’s what we’re here for.
GDPR stands for General Data Protection Regulation. It’s an EU law that is set to replace the Data Protection Act (DPA) which was introduced in 1998. Both laws are all about how organisations can hold and process an individual’s personal data, but the GDPR is updated for the digital age.
The GDPR will come into effect on 25th May 2018.
It applies to anyone who collects or processes the personal data of EU citizens. So it will apply to your childcare business.
For starters, the law will come into place before the UK is scheduled to leave the European Union, so you will need to be ready for the May deadline regardless.
On top of this, it is highly likely that the UK will retain these laws or something very similar even after their exit.
If your setting is not GDPR compliant, you can be fined up to 4% of your total yearly revenue. If that sounds scary, I guess it’s because it could be.
But so long as you’re clued up now, and you start to put in some best practices to make sure you’re ready for it, it’s incredibly unlikely that this will happen to a business like yours.
There are a few things you can do right now to start preparing for the GDPR. And really, it’s mostly about this first one….
The most important thing you can do is to make sure that you know what personal data you hold on parents, children, and staff right now, as well as where it came from and who can access it.
You might need to organise an ‘information audit’ to do this. Essentially, this is completely running through all of the ‘information’ you hold, both digital and paper-based. If you don’t know the information you have already, it’s much more difficult to ensure it is all covered safely when the laws come into place.
For instance, you will now be required to share the information you collect on an individual if they request it. If you are not aware of what information you have, it’s going to be much more difficult to do this.
Here are some of the things you need to be thinking about.
What data do you have? – This could be names and addresses, details relating to the free entitlement, health or religious information, or digital images.
How is it stored? – You need to consider whether your clients' personal data is secure.
Where do you get it from? – Most of the time this will be from parents or from the staff.
How do you protect data? – Think about who can access the personal data, whether any sensitive data is password protected or whether anyone in the nursery can see it.
Who do you share the data with? – This might be HMRC, other family members, or social care professionals.
What do you use the data for? – Perhaps you hold child information for development and safeguarding, and parent information for billing and communication.
At the moment, you may be making a signed agreement with parents when you collect their information. This is usually just to let them know who you are and how you intend to use the information.
Now, you will also need to explain your lawful basis for processing personal data, how long you will hold it for, and that they have a right to complain to the ICO if they have a problem with how you’re handling such data.
For more information about precisely what the signed agreement or ‘privacy notice’ needs to include, the ICO has a helpful guide.
Many of the main concepts and rules are similar to those in the current data protection act. There may be some other things you need to consider if you’re not sure you comply with the current laws. You can find out more about the current data protection laws here.
It’s also a very good idea to put someone in charge of reviewing the policies and procedures in line with data protection. When the law comes in, you’re likely to have to assign someone as a data protection officer who is responsible for ensuring you’re following the GDPR.
It’s also a good idea to notify the owners, board or committee as they may decide to allocate finances or make changes to ensure they’re GDPR compliant.
It’s highly likely that you will need to review your policies and procedures in light of these changes and it’s important that you have someone directly in charge of this.
It’s worth noting that these laws are set up for businesses of all sizes, and many are much more relevant for bigger enterprises. Having said that, you still need to be able to handle all of the same requests regardless of your size.
So let’s have a quick look at exactly what will change once the law comes into place.
The GDPR contains a more detailed definition of what ‘personal data’ is compared to the DPA (bank accounts, telephone numbers, third party's personal data, etc). For childcare businesses, these changes won’t affect you much provided you’re following the DPA right now.
One difference is that personal data now applies to both automated personal data and physical, manual filing where the data can be sorted and accessed. For example, chronologically ordered manual data now comes under data protection laws.
The existing DPA covers a range of principles that cover your main responsibilities. However, the GDPR has added an entirely new principle, the accountability principle.
In essence, it’s about being able to demonstrate that you comply with other key principles. This involves maintaining some documentation on how you process This mostly won’t affect businesses smaller than 250 employees, but you still need to.
Under the General Data Protection Regulation or GDPR, parents will have the right to access the information that you hold on them and confirm that the data is being processed in the first place.
This is where your information audit is important. You must understand exactly what you are holding on parents so that you can provide it to them if you are asked to do so.
Individuals now have a right to have personal data corrected if it is inaccurate. If you have shared any of this data with third parties, it is also now your responsibility to inform them of the correction.
Essentially, you must be able to delete or remove all personal data you hold on someone upon request, provided there is no compelling reason for you to continue to hold it.
These compelling reasons? Unlikely to be relevant. They are to do with the data being in the interest of archiving, public health or legal claims. As a nursery, the chances are that your parents will be allowed to withdraw their consent and insist that all data is removed, as agreed previously in the 'privacy notice'.
As a result, you need to make sure that the way in which you hold data allows you to do this.
Please note: here at Famly we love sharing creative activities for you to try with the children at your setting, but you know them best. Take the time to consider adaptions you might need to make so these activities are accessible and developmentally appropriate for the children you work with. Just as you ordinarily would, conduct risk assessments for your children and your setting before undertaking new activities, and ensure you and your staff are following your own health and safety guidelines.