Getting to Grips with the GDPR

GDPR in Early Years

You may not think that the GDPR will impact early years setting but it does. It’s important to get to grips with what it all means and what steps your establishment should take to be compliant.

What is GDPR?

The General Data Protection Regulation (GDPR) is a directive by which the European Parliament, the Council of the European Union and the European Commission sets guidelines for the collection and processing of personal information of individuals within the European Union (EU). The GDPR will replace the current Data Protection Act.

The GDPR aims primarily to give control back to individuals over their personal data and covers all companies that deal with the data of EU citizens. The EU definition of “personal data” is “any information relating to an identified or identifiable natural person”. Above all, the GDPR is intended to create a uniformity of rules to enforce across the continent.

On 25th May 2018 the GDPR will be enforced across Europe.

Think that the GDPR will not be enforced after Brexit? Wrong. To clarify, it has been confirmed GDPR will form part of UK law following the country’s withdrawal from the EU. Therefore, companies including nurseries and other childcare establishments are advised to begin making appropriate steps to make their setting GDPR compliant.

How will it impact the Early Years Sector, including your setting?

For your nursery, preschool, school etc. personal data will likely be information on children, parents and your staff. For instance, names, dates of birth, addresses, allergies, medical information, photos, bank details, national insurance numbers and qualifications. All of which are personally identifiable and therefore concerned under the GDPR in early years settings.

Under the GDPR there are certain key areas to consider:

Awareness

Key people within your school or nursery aware of the changes in law to the GDPR. These people may include managers, owner, directors, or governing body. Importantly, they should also understand the impact this will have.

Information

You should hold a record of what personal data you hold, where it came from and who you share it with. Something to bear in mind is who in your setting has access to what. By limiting how many individuals can access information and what information will, consequently, reduce risk.

Consent and Privacy Information

Firstly, you should review how you seek, record and manage consent. Secondly, find out whether you need to make any changes to your current procedures. Review and renew existing consent forms now if they don’t meet the GDPR standard. For children, who are not able to give consent of their own data until they are 16, you should think about your current system for obtaining consent from parents or guardians. Furthermore, this consent should also cover privacy policies or notices to give individuals your identity. It also means they know how you plan to use their information.

Individual Rights

This includes the right to be informed, to access, to rectification, to erasure, to restrict processing, to object, and to not be subject automated decision-making and profiling.

A nursery or school should check the policies and procedures in place to ensure they cover the rights individuals have under the GDPR. This can include how you would delete individuals’ personal data or provide them with their data if requested. LearningBook allows you to download and export data in formats suchs as PDF, CSV etc, so this is something to consider when it comes to GDPR in your early years setting.

Penalties for Non-Compliance

If you don’t comply with GDPR then the Information Commission’s Office (ICO) has the right to fine your company an amount up to £20million or a 4% global turnover. The level of the fine depends on which is greater. The ICO will likely only audit you if there has been a breach.

Find out more: