Dr James Huntington's picture

Getting to Grips with the General Data Protection Regulation (GDPR)

You may not think that the GDPR will impact early years settings, including schools, preschools, nurseries and so on – but it does and it’s important to get to grips with what it all means and what steps your establishment should take to get compliant.

What is GDPR?

The General Data Protection Regulation (GDPR) is a directive by which the European Parliament, the Council of the European Union and the European Commission sets guidelines for the collection and processing of personal information of individuals within the European Union (EU). The GDPR will replace the current Data Protection Act.

The GDPR aims primarily to give control back to individuals over their personal data and covers all companies that deal with the data of EU citizens. The EU definition of “personal data” is “any information relating to an identified or identifiable natural person”. The GDPR is intended to create a uniformity of rules to enforce across the continent.

On 25th May 2018 the GDPR will be enforced across Europe, including the United Kingdom.

Think that the GDPR will not be enforced after Brexit? Wrong. It has been confirmed GDPR will form part of UK law following the country’s withdrawal from the European Union. Therefore, companies including nurseries and other childcare establishments are advised to begin making appropriate steps to make their setting GDPR compliant.

How will it impact the Early Years Sector, including your setting?

For your nursery, preschool, school etc. personal data will likely be information on children, parents and your staff – including names, dates of birth, addresses, allergies, medical information, photos, bank details, national insurance numbers and qualifications. All of which are personally identifiable and therefore concerned under the GDPR.

Under the GDPR there are certain key areas to consider:


Key people within your school or nursery, e.g. managers, owner, directors, board and governing body should be made aware of the changes in law to the GDPR. They should also understand the impact this will have.


You should hold a record of what personal data you hold, where it came from and who you share it with. Something to bear in mind is who in your setting has access to what, from the room staff and teachers, to managers and owners – by limiting how many individuals can access information and what information will reduce risk.

Consent and Privacy Information

You should review how you seek, record and manage consent and whether you need to make any changes to your current procedures. Review and renew existing consent forms now if they don’t meet the GDPR standard. For children, who are not able to give consent of their own data until they are 16, you should think about your current system for obtaining consent from parents or guardians. Furthermore this consent should also cover privacy policies or notices to give individuals your identity and how you plan to use their information.

Individual Rights

This includes the right to be informed, to access, to rectification, to erasure, to restrict processing, to object, and to not be subject automated decision-making and profiling.

A nursery or school should check the policies and procedures in place to ensure they cover all the rights individuals have under the GDPR, this can include how you would delete individuals’ personal data or provide them with their data if requested. LearningBook allows you to download and export data in PDF and CSV formats, so this is something to consider.

Penalties for Non-Compliance

If you don’t comply with GDPR then the Information Commission’s Office (ICO) has the right to fine your company an amount up to £20million or a 4% global turnover, depending on which is greater. The ICO will likely only audit you if there has been a breach.

LearningBook and GDPR

We are currently working through our internal GDPR readiness programme to ensure we are GDPR compliant come May 2018. One of the key deliverables will be an updated Data Processing Agreement, which will form part of the agreement between LearningBook and all customers, stating in legal form, our compliance with GDPR.

Dr James Huntington's picture

Dr James Huntington - Director

James is the Founder and Managing Director at LearningBook. His background in Computer Science and Education help lay the foundation for LearningBook to become one of the UK's first Digital Learning Journey Companies.