GDPR for nurseriesGeneral Data Protection Regulation (GDPR) for nurseries

It's nearly a year since the General Data Protection Regulation (GDPR) was introduced (25 May 2018) but what is it and what do you, as a nursery or early years and childcare provider, need to do about it?

Make sure you are compliant with our GDPR FAQs for nurseries below:

What is it?

GDPR stands for General Data Protection Regulation which becomes law on 25 May 2018. It covers the management and control of personal information. Regardless of Britain’s plans to leave the EU, this will still be a legal requirement for all organisations.

How does this differ from the current data protection laws?

GDPR will replace the Data Protection Act 1998 and the Privacy and Electronic Communications Regulations 2003. It increases the obligations that companies have regarding personal data and focuses on rights for individuals. There is an emphasis on a more robust protection for individuals and higher penalties on organisations who fail to comply. 

What is personal data?

This is classed as any data which can be linked to a single person and can identify them. Examples include a name, email address, postal address, telephone numbers, bank accounts and photos. But just an email address is not personal data unless it can be directly linked to more data that is stored somewhere else.

Does this include children’s data?

Yes it does. But it also provides an opportunity for nurseries to engage with parents and build up trust and loyalty. Let them know what measures you are putting in place and that you are ahead of the game regarding their personal details.

What do I do with emergency contacts on the nursery database?

You are required under EYFS duties, for the health and well-being of children to have emergency contact details for all children attending your setting in case of emergency when unable  to contact parents directly.

You are given these details by the parent/guardian as the people they authorise to collect their child in their absence, therefore the parent is giving you permission to hold this information, your duty is to protect this data as with all other data and only use it for the intended purpose, in the case to contact in the event of an emergency.

Local Authorities may require providers in their area to obtain signed consent from emergency named contacts.

How does this work with nurseries’ legal obligations?

Although consent is a huge part of GDPR, as a nursery you have lawful obligations that require you to collect, process and store personal data.

 In order to comply with regulatory frameworks and inspectorates across the UK, there is a large amount of data that you must hold and maintain. These legal obligations override GDPR and therefore you do not need consent to collect certain data from your parents or children.

What are the rights for individuals?

GDPR works around the principal of consent and assumes the automatic right of privacy to individuals. If you are holding anyone’s data, they need to give consent to this and agree with what you intend to do with it. You would need to inform them how long you intend to hold onto this data and for what purpose.

Individuals have the right to be “forgotten” and can also object to some use of their own data.

Why do we have to comply?

All organisations which handle this type of data have to comply. Failure to do so can result in sanctions. Serious breaches can be penalised with fines of up to 20 million Euros or 4% of your annual turnover.  

What is a breach?

If you accidentally lose, destroy or share data, this is a breach. Sharing in this instance means giving unauthorised access to personal data. Any breaches must be reported to the Information Commissioners Office. Find out how to do this here. 

Who does it affect?

This affects everyone as individuals and all organisations which hold personal data of any type. 

Will it cost our setting to do this? 

It will mainly cost your setting staff time – but you may wish to update your processes and systems which could mean an investment.

When will we need to do this by?

The regulation becomes law from 25 May 2018 – settings must comply with GDPR from that date onwards. NDNA advises that businesses start planning now. Review what you are currently doing to comply with the existing laws and take it from there.

Will all staff need to know this?

It’s useful that everybody is aware of GDPR and what it means. All staff that handle data need to know more about the regulation. NDNA recommends each setting appointing a lead person who is the designated data controller. They can work with all other staff who are designated as data handlers.

It’s also important that all staff can answer parents’ queries about how their data will be used and stored. Make sure you are clear about the benefits this will give and also your legal obligations regarding safeguarding the children.

Do I need to fill in forms that I receive from external organisations?

We have had some members query forms they are receiving from external organisations.

You may be receiving requests from external organisations to fill in forms and legal agreements to show compliance with GDPR.

You only need to respond if you are actually processing (handling, using or sharing) personal data which they have either sent to you or received from you.

Personal data is data which can identify a single person.
If none of this applies then we recommend you simply contact the organisation to tell them this.  Do not waste time completing their forms.

GDPR resources for nurseries

  • Have an NDNA support visit to review your data protection processes
  • FREE GDPR Privacy Notice for nursery members here
  • View headings to use in your own Privacy Notice here
  • FREE Record Retention Policy for members in England, Scotland  and Wales
  • FREE Record Keeping and Retention factsheet for members in England and Data Retention factsheet for Scotland
  • GDPR factsheet for England, Scotland and Wales 
  • GDPR Training, the only face to face GDPR training specifically for nurseries
  • GDPR Nursery News Magazine article (download below)
  • GDPR Data audit template for nurseries (download below).
  • GDPR further FAQs (download below)
  • GDPR quick reference handout (download below)
  • GDPR consideration points handout (download below).
NDNA Template: GDPR audit for nurseries
(Microsoft Excel Workbook)
NDNA GDPR further FAQs
(Adobe PDF File)

"...gave lots of practical examples of the kind of data you need to keep in early years, and what you do not."

- NDNA GDPR training attendee Jackie Offer

Read all comments in Nursery World here