10 steps to General Data Protection Regulation (GDPR) for nurseries

There was a lot of worry and concern about the GDPR (that came into effect on 25 May 2018). Here, Claire Lidstone of Activity4All, takes a look back at what GDPR means to nurseries, one year on.

Can you believe it has been over a year since GDPR was introduced? And unfortunately, it is still a cause for confusion among some businesses.

A number of organisations, including nurseries, thought the implementation of GDPR was just another annoyance and policy change to make life difficult. But it is law, and cannot be ignored. 

If you attended the NDNA's GDPR workshops in 2018, you'll now have lots of tips on getting ready for GDPR. We must however, remember that GDPR is not just a one time admin task, which can now be forgotten about. GDPR compliance needs upkeep.

Upkeep doesn't necessarily need to cost money, but I'm sure you know that it will cost staff time. Hopefully, with my top tips, you'll save time and confusion! 

Why is it important?

It is important to remember that the Data Protection Act is 20 years old and how we hold and manage our nursery data has changed massively over the past 20 years, with the introduction of the World Wide Web, emails and smart phones.

The ability to share sensitive data instantly across the world in just a matter of seconds is a new thing and a potential threat to your nursery safeguarding obligations.

You'll already know that it is incredibly difficult to instantly lose your nursery paper records en mass. However, one electronic malfunction and years of your nursery data, that may have a legislative need to be kept, can be gone in an instant.

Our financial security also needs measures in place. And GDPR compliance (although a legal obligation) is a great way to 'keep stock' of all your data. 

So how can you ensure your nursery is compliant one year on?

  1. Complete another data audit.
    Revisit your audit six monthly or yearly to ensure you know what data you hold, why you hold it and how long you should hold it for. Identify if you have a legislative need to hold the data. Download NDNA's free data audit for nurseries here.
  2. Do a Risk Assessment.
    As part of your audit you should be identifying what data you hold of a sensitive nature. You should be able to demonstrate why you share data in certain ways and if it is appropriate in your setting. I advise that you link your risk assessment to your safeguarding needs. Do you have looked after children or children with particularly unusual names that need additional protection?
  3. Remember, health and safety always comes first.
    If lists of allergies or menu advice needs to be readily available, as part of your data audit, have you demonstrated that the benefit of having that list on display to staff, outweighs the risk of staff not knowing to the child? Find a location that is clear to staff but not on view to every visitor where possible.
  4. Keep staff knowledge and training up-to-date.
    Ensure your staff training and policies on data protection and management, social media usage and confidentiality are up-to-date and being followed.
  5. Make sure you have a clear policy on email use,
    Ensure you BCC group emails, delete unnecessary emails and that sensitive details in emails are only sent to the appropriate person by checking the address. Delete emails that you receive in error too.
  6. Keep consent up-to-date.
    Consent is needed for all data that you hold and share for children and staff in your setting, that does not have a legislative need. All consent for use of information such as photos and learning journeys should be kept up-to-date.
  7. Review contact information.
    Review your contact information and password systems regularly to ensure they are current and up-to-date. 
  8. Keep on top of deleting unnecessary data. 
    Make sure you delete data that you no longer need. File it to store it by the date / year you can destroy rather than by individual names.
  9. Revisit NDNA's FAQs on GDPR for nurseries.
    Make sure you revisit NDNA's FAQs on GDPR for nurseries, as these change frequently based on what its members are asking right now. 
  10. Think you're compliant? Test yourself.
    GDPR Direct has a free online quiz on GDPR compliance, have a go here. 

Remember, you can still access NDNA's full FAQs from nurseries regarding GDPR here, including a free data audit download and other resources. 
Teacher and children using tablet

GDPR RESOURCES FOR NURSERIES

GDPR data audit for nurseries

GDPR Privacy Notice for nurseries:
FREE GDPR Privacy Notice for nursery members here
View headings to use in your own Privacy Notice here

GDPR record retention for nurseries:
FREE Record Retention Policy for members in England, Scotland and Wales
FREE Record Keeping and Retention factsheet for members in England and Data Retention factsheet for Scotland

More GDPR support for nurseries:
GDPR factsheet for England, Scotland and Wales 

GDPR training and support visits for nurseries:
GDPR Training, the only face to face GDPR training specifically for nurseries.
NDNA support visits to review your data protection processes