General Data Protection Regulation (GDPR) for nurseries

You might have heard about General Data Protection Regulation (GDPR) in the media but what is it and what do you, as a nursery, need to do about it?


Make your nursery compliant with the new EU Directive by 25 May 2018, with our GDPR FAQs for nurseries below:

  1. What is it?GDPR for nurseries
  2. How does this differ from the current data protection laws?
  3. What is personal data?
  4. Does this include children’s data?
  5. How does this work with nurseries’ legal obligations?
  6. What are the rights for individuals?
  7. Why do we have to comply?
  8. What is a breach?
  9. Who does it affect?
  10. Will it cost our setting to do this?
  11. When will we need to do this by?
  12. Will all staff need to know this?

What is it?

GDPR stands for General Data Protection Regulation which becomes law on 25 May 2018. It covers the management and control of personal information. Regardless of Britain’s plans to leave the EU, this will still be a legal requirement for all organisations.

How does this differ from the current data protection laws?

GDPR will replace the Data Protection Act 1998 and the Privacy and Electronic Communications Regulations 2003. It increases the obligations that companies have regarding personal data and focuses on rights for individuals. There is an emphasis on a more robust protection for individuals and higher penalties on organisations who fail to comply. 

What is personal data?

This is classed as any data which can be linked to a single person and can identify them. Examples include a name, email address, postal address, telephone numbers, bank accounts and photos. But just an email address is not personal data unless it can be directly linked to more data that is stored somewhere else.

Does this include children’s data?

Yes it does. But it also provides an opportunity for nurseries to engage with parents and build up trust and loyalty. Let them know what measures you are putting in place and that you are ahead of the game regarding their personal details.

How does this work with nurseries’ legal obligations?

Although consent is a huge part of GDPR, as a nursery you have lawful obligations that require you to collect, process and store personal data.

 In order to comply with regulatory frameworks and inspectorates across the UK, there is a large amount of data that you must hold and maintain. These legal obligations override GDPR and therefore you do not need consent to collect certain data from your parents or children.

What are the rights for individuals?

GDPR works around the principal of consent and assumes the automatic right of privacy to individuals. If you are holding anyone’s data, they need to give consent to this and agree with what you intend to do with it. You would need to inform them how long you intend to hold onto this data and for what purpose.

Individuals have the right to be “forgotten” and can also object to some use of their own data.

Why do we have to comply?

All organisations which handle this type of data have to comply. Failure to do so can result in sanctions. Serious breaches can be penalised with fines of up to 20 million Euros or 4% of your annual turnover.  

What is a breach?

If you accidentally lose, destroy or share data, this is a breach. Sharing in this instance means giving unauthorised access to personal data. Any breaches must be reported to the Information Commissioners Office. Find out how to do this here. 

Who does it affect?

This affects everyone as individuals and all organisations which hold personal data of any type. 

Will it cost our setting to do this? 

It will mainly cost your setting staff time – but you may wish to update your processes and systems which could mean an investment.

When will we need to do this by?

The regulation becomes law from 25 May 2018 – settings must comply with GDPR from that date onwards. NDNA advises that businesses start planning now. Review what you are currently doing to comply with the existing laws and take it from there.

Will all staff need to know this?

It’s useful that everybody is aware of GDPR and what it means. All staff that handle data need to know more about the regulation. NDNA recommends each setting appointing a lead person who is the designated data controller. They can work with all other staff who are designated as data handlers.

It’s also important that all staff can answer parents’ queries about how their data will be used and stored. Make sure you are clear about the benefits this will give and also your legal obligations regarding safeguarding the children.

GDPR resources for nurseries


  • GDPR factsheet for England, Scotland and Wales 
  • GDPR Training, the only face to face GDPR training specifically for nurseries
  • GDPR Nursery News Magazine article (download below)
  • GDPR Data audit template for nurseries (download below).

NDNA Template: GDPR audit for nurseries
(Microsoft Excel Workbook)