Preparing your early years setting for GDPR
An introduction to what early years settings, nurseries and childminders must do to comply with the General Data Protection Regulation (GDPR) which came into effect in May 2018.
The General Data Protection Regulation (GDPR) is a new EU law that came into effect on 25 May 2018.
It replaces the current Data Protection Act 1998 and the changes remain in place even after the UK leaves the EU in 2019.
GDPR gives individuals greater control over their own personal data.
Your nursery or early years setting may already have a data protection policy in place but GDPR introduces some significant changes in what is needed.
Early years providers need to be aware of these changes and make changes in order to be compliant.
GDPR condenses the Data Protection Principles into six areas, referred to as the Privacy Principles. They are:
You must have a lawful reason for collecting personal data and must do it in a fair and transparent way.
You must only use the data for the reason it is initially obtained.
You must not collect any more data than is necessary.
It has to be accurate and there must be mechanisms in place to keep it up to date.
You cannot keep it any longer than needed.
You must protect the personal data.
These privacy principles are supported by a further principle – accountability.
This means your setting must not only do the right thing with data but must also show that all the correct measures are in place to demonstrate how compliance is achieved.
There is also an expectation that staff will be trained on data protection. Documentation on policies, procedures and training is going to be a key part of any effective compliance programme.
Areas to consider
Appointing a data protection officer — For most settings, appointing an individual who takes the lead on data compliance will be enough, although for larger early years provider chains may need to appoint a data protection officer.
Privacy notices — When you collect any data you must tell people exactly how you are going to use it, who might you share it with, how long you will keep it as well as information on consent and complaint.
Individual rights — People now have new and enhanced rights on the collection, access and deletion of their data so you must ensure your setting has mechanisms to allow individuals to exercise these rights.
Consent — GDPR requires early years providers to have a legitimate reason for processing any personal data. Where you rely on consent for processing data you must be able to demonstrate that the consent was freely given. Pre-ticked boxes or inactivity will no longer suffice. People have to actively opt-in.
Data agreements — Early years providers are now obliged to have written arrangements with anybody processing data for them. Providers must make sure that anyone processing data meet GDPR requirements.
New projects — Data protection must be incorporated into new projects and services at the development stage — not simply as an after-thought.
Breach notification — You are obligated to notify the Information Commissioner's Office (ICO) of a data breach within 72 hours of becoming aware of the breach.
Fines — One of the key drivers of compliance is that organisations can be fined significant amounts if they are not. However you should focus on the benefits of ensuring you are handling your data properly.
GDPR support for your nursery or early years setting
For further detail on making changes, Alliance members can:
Other early years GDPR resources
- Alliance members can take EduCare's free online training course: Implementing the GDPR. Before you can take part in this course members will need to ensure they have registered with EduCare's new learning platform. Please visit our EduCare page to read more about these changes.
- A Sample Privacy Notice for employees is available to download from Alliance publication People Management in the Early Years.
- An online download for Alliance publication Safeguarding Children explains specific considerations of GDPR relating to safeguarding.
- The ICO has comprehensive guidance on GDPR including checklists of what organisations need to do.
- The ICO webinar Data Protection for the Education Sector looks at best practice when collecting and using personal information of pupils and staff within educational establishments and discusses the likely impact of GDPR.
- To keep up to date with upcoming Alliance GDPR resources subscribe to our Under 5 e-newsletter using the form at the bottom of the page.