What is the GDPR?
The General Data Protection Regulation (GDPR) comes into force on 25 May 2018 and replaces the current Data Protection Act 1998 (DPA).
Why do you need to take action?
Under the DPA, organisations were thought to be compliant until there was a data breach. Under the GDPR, this is no longer the case, you need to have evidence that you are compliant from the start. This means that you need to have documents and processes in place to demonstrate you are following the regulations and ensuring the safeguarding of the data that you hold.
What do you need to do as an early years provider?
You must register with the Information Commissioner’s Office (ICO) if you have not done so already. As an early years provider, you are a data controller (you are processing personal data) which means you must register with the ICO. Find a list of the ICO fees in a Q&A here.
Compile a “catalogue” of all the information that your provision holds and processes, often referred to as an Information Asset Register. This should include the following.
Is it personal or sensitive?
How is the information stored?
Is it shared or transported, and if so, how is this done?
Is the information included in a retention schedule?
How long are you keeping it for?
Find a template Information Asset Register here which you can download and fill in for your provision. Each set of boxes represents a different type of “asset”, for example, registration forms, medication forms, accident records, etc.
What types of data do you store as an early years provider that will be affected by the GDPR? Find out in a Q&A, Types of data affected by the GDPR in early years provisions, here.
You also need to document your data processing. For each process, you need to have a lawful basis for processing and this must be documented. Find out the six lawful bases for processing in a Q&A here.
The ICO has developed a free downloadable excel spreadsheet to record all your data processing (and include an examples tab).
Write a privacy notice. This should include the following.
The type of information you are collecting (names, addresses, dates of birth, ethnicity, etc).
Who is collecting it and how (paper forms, electronic forms, through a parent portal, etc)?
Why is it being collected?
How will the information be used (this will not only include providing a safe and quality provision for their child but also to access funding from the local authority (LA) and to submit data for headcounts and census)?
Who will you share the data with (this will include the LA for funding and census information as well as any referrals for additional support, for example, the area SENCO)?
Will there be an effect on the individual (data subject) concerned and is it likely to cause any individuals to object or complain?
Find a template privacy notice here.
Update your data protection policy. Find a template GDPR data protection policy here, which you can download and customise for your provision.
Train your staff. Everyone working for you, including permanent staff, volunteers and work placement students and committee members all need to have completed GDPR awareness training and have a good understanding of your policies and procedures. Find a GDPR Awareness Staff Training Presentation here to fulfil your training needs.
Inform parents of the introduction of the GDPR and how you are using the new regulation to keep their information secure. Find guidance on what to include in a letter to parents in a Q&A here and a template letter for parents here.
Ensure your IT systems are robust and compliant with the GDPR. Find a checklist on how to keep your IT systems secure and compliant with the GDPR here.
Download this GDPR checklist to check and demonstrate your compliance with the GDPR.
Other useful documents
Last reviewed 29 April 2019