What is it?
GDPR stands for General Data Protection Regulation which becomes law on 25 May 2018. It covers the management and control of personal information. Regardless of Britain’s plans to leave the EU, this will still be a legal requirement for all organisations.
How does this differ from the current data protection laws?
GDPR will replace the Data Protection Act 1998 and the Privacy and Electronic Communications Regulations 2003. It increases the obligations that companies have regarding personal data and focuses on rights for individuals. There is an emphasis on a more robust protection for individuals and higher penalties on organisations who fail to comply.
What is personal data?
This is classed as any data which can be linked to a single person and can identify them. Examples include a name, email address, postal address, telephone numbers, bank accounts and photos. But just an email address is not personal data unless it can be directly linked to more data that is stored somewhere else.
Does this include children’s data?
Yes it does. But it also provides an opportunity for nurseries to engage with parents and build up trust and loyalty. Let them know what measures you are putting in place and that you are ahead of the game regarding their personal details.
What do I do with emergency contacts on the nursery database?
You are required under EYFS duties, for the health and well-being of children to have emergency contact details for all children attending your setting in case of emergency when unable to contact parents directly.
You are given these details by the parent/guardian as the people they authorise to collect their child in their absence, therefore the parent is giving you permission to hold this information, your duty is to protect this data as with all other data and only use it for the intended purpose, in the case to contact in the event of an emergency.
Local Authorities may require providers in their area to obtain signed consent from emergency named contacts.
How does this work with nurseries’ legal obligations?
Although consent is a huge part of GDPR, as a nursery you have lawful obligations that require you to collect, process and store personal data.
In order to comply with regulatory frameworks and inspectorates across the UK, there is a large amount of data that you must hold and maintain. These legal obligations override GDPR and therefore you do not need consent to collect certain data from your parents or children.
What are the rights for individuals?
GDPR works around the principal of consent and assumes the automatic right of privacy to individuals. If you are holding anyone’s data, they need to give consent to this and agree with what you intend to do with it. You would need to inform them how long you intend to hold onto this data and for what purpose.
Individuals have the right to be “forgotten” and can also object to some use of their own data.
Why do we have to comply?
All organisations which handle this type of data have to comply. Failure to do so can result in sanctions. Serious breaches can be penalised with fines of up to 20 million Euros or 4% of your annual turnover.
What is a breach?
If you accidentally lose, destroy or share data, this is a breach. Sharing in this instance means giving unauthorised access to personal data. Any breaches must be reported to the Information Commissioners Office
. Find out how to do this here.
Who does it affect?
This affects everyone as individuals and all organisations which hold personal data of any type.
Will it cost our setting to do this?
It will mainly cost your setting staff time – but you may wish to update your processes and systems which could mean an investment.
When will we need to do this by?
The regulation becomes law from 25 May 2018 – settings must comply with GDPR from that date onwards. NDNA advises that businesses start planning now. Review what you are currently doing to comply with the existing laws and take it from there.
Will all staff need to know this?
It’s useful that everybody is aware of GDPR and what it means. All staff that handle data need to know more about the regulation. NDNA recommends each setting appointing a lead person who is the designated data controller. They can work with all other staff who are designated as data handlers.
It’s also important that all staff can answer parents’ queries about how their data will be used and stored. Make sure you are clear about the benefits this will give and also your legal obligations regarding safeguarding the children.
Do I need to fill in forms that I receive from external organisations?
We have had some members query forms they are receiving from external organisations.
You may be receiving requests from external organisations to fill in forms and legal agreements to show compliance with GDPR.
You only need to respond if you are actually processing (handling, using or sharing) personal data which they have either sent to you or received from you.
Personal data is data which can identify a single person.
If none of this applies then we recommend you simply contact the organisation to tell them this. Do not waste time completing their forms.