What is the UK GDPR?

The General Data Protection Regulation (GDPR) came into force on 25 May 2018 and replaced the Data Protection Act 1998 (DPA). As an EU regulation, it was directly applicable in the UK and did not require implementing. However, it gave Member States limited opportunities to make provisions for how it applied in their particular country and the UK Government took advantage of this option to introduce the Data Protection Act 2018 which adds details such as penalties for non-compliance.

As the Brexit process continued, it became apparent that the UK would need a regime closely based on the GDPR once it finally left the EU and the Government’s answer was to adopt the Data Protection, Privacy and Electronic Communications (Amendments etc) (EU Exit) Regulations 2019 which created the concept of UK GDPR – essentially mirroring the EU original but with changes such as replacing references to the European Commission with details of the Information Commissioner's Office (ICO).

As the two are in most requirements essentially the same, it seems likely that most people will continue to refer to the GDPR, rather than UK GDPR.

Why do you need to take action?

Under the DPA, organisations were thought to be compliant until there was a data breach. Under the GDPR, you need to have evidence that you are compliant from the start. This means that you need to have documents and processes in place to demonstrate you are following the regulations and ensuring the safeguarding of the data that you hold.

What do you need to do as an early years provider?

  1. You must register with the Information Commissioner’s Office (ICO) if you have not done so already. As an early years provider, you are a data controller (you are processing personal data) which means you must register with the ICO. Find a list of the ICO fees in a Q&A here.

  2. Compile a “catalogue” of all the information that your provision holds and processes, often referred to as an Information Asset Register. This should include the following.

    1. Is it personal or sensitive?

    2. How is the information stored?

    3. Is it shared or transported, and if so, how is this done?

    4. Is the information included in a retention schedule?

    5. How long are you keeping it for?

    Find a template Information Asset Register here which you can download and fill in for your provision. Each set of boxes represents a different type of “asset”, for example, registration forms, medication forms, accident records, etc.

    What types of data do you store as an early years provider that will be affected by the GDPR? Find out in a Q&A, Types of data affected by the GDPR in early years provisions, here.

  3. You also need to document your data processing. For each process, you need to have a lawful basis for processing and this must be documented. Find out the six lawful bases for processing in a Q&A here.

    The ICO has developed a free downloadable excel spreadsheet to record all your data processing (and include an examples tab).

  4. Write a privacy notice. This should include the following.

    1. The type of information you are collecting (names, addresses, dates of birth, ethnicity, etc).

    2. Who is collecting it and how (paper forms, electronic forms, through a parent portal, etc)?

    3. Why is it being collected?

    4. How will the information be used (this will not only include providing a safe and quality provision for their child but also to access funding from the local authority (LA) and to submit data for headcounts and census)?

    5. Who will you share the data with (this will include the LA for funding and census information as well as any referrals for additional support, for example, the area SENCO)?

    6. Will there be an effect on the individual (data subject) concerned and is it likely to cause any individuals to object or complain?

    Find a template privacy notice here.

  5. Update your data protection policy. Find a template GDPR data protection policy here, which you can download and customise for your provision.

  6. Train your staff. Everyone working for you, including permanent staff, volunteers and work placement students and committee members all need to have completed GDPR awareness training and have a good understanding of your policies and procedures. Find a GDPR Awareness Staff Training Presentation here to fulfil your training needs.

  7. Inform parents of the GDPR and how you are using the regulation to keep their information secure. Find guidance on what to include in a letter to parents in a Q&A here and a template letter for parents here.

  8. Ensure your IT systems are robust and compliant with the GDPR. Find a checklist on how to keep your IT systems secure and compliant with the GDPR here.

  9. Review your contracts with any providers who process data on your behalf. Ensure that they are compliant with the GDPR. Find guidance here and a template contract here.

  10. Have a process in place for how to handle a data protection breach, including how to report and record it. Find a breach reporting template here and a record of data breach form here.

GDPR checklist

Download this GDPR checklist to check and demonstrate your compliance with the GDPR.


Recent events have brought the GDPR back on to the agenda as the implications of how organisations are going to be expected to deal with the current Covid-19 pandemic have become apparent. The Government requires businesses to support the NHS Test and Trace service by keeping a temporary record of customers and visitors for 21 days.

Detailed advice

Comprehensive advice on how to manage the GDPR can now be found in the Data Protection topic.

Summary advice

These feature articles give a summary overview of the GDPR.

Last reviewed 28 June 2021