Have you heard about the GDPR? There might have been whispers in the corridors, but few managers and owners know exactly what they new data protection laws will actually mean for their nursery.
So what are they? When do they come in? And what will you need to do to make sure you’re covered? Well, that’s what we’re here for.
What is it?
GDPR stands for General Data Protection Regulation. It’s an EU law that is set to replace the Data Protection Act (DPA) which was introduced in 1998. Both laws are all about how organisations can hold and process an individual’s personal data, but the GDPR is updated for the digital age.
When does it come into effect?
The GDPR will come into effect on 25th May 2018.
Does it apply to me?
It applies to anyone who collects or processes the personal data of EU citizens. So it will apply to your childcare business.
And what about Brexit?
For starters, the law will come into place before the UK is scheduled to leave the European Union, so you will need to be ready for the May deadline regardless.
On top of this, it is highly likely that the UK will retain these laws or something very similar even after their exit.
What happens if I don’t comply
If you fail to comply with the GDPR you can be fined up to 4% of your total yearly revenue. If that sounds scary, I guess it’s because it could be.
But so long as you’re clued up now, and you start to put in some work to make sure you’re ready for it, it’s incredibly unlikely that this will happen to a business like yours.
What can I do?
There’s a few things you can do right now to start preparing for the GDPR. And really, it’s mostly about this first one….
Work out the information you hold now
The most important thing you can do is to make sure that you know what personal data you hold on parents, children, and staff right now, as well as where it came from and who can access it.
You might need to organise an ‘information audit’ to do this. Essentially, this is completely running through all of the ‘information’ you hold, both digital and paper-based. If you don’t know the information you have already, it’s much more difficult to ensure it is all covered safely when the laws come into place.
For instance, you will now be required to share the information you collect on an individual if they request it. If you are not aware of what information you have, it’s going to be much more difficult to do this.
Here’s some of the things you need to be thinking about.
What data do you have? – This could be names and addresses, details relating to the free entitlement, health or religious information, or digital images.
How is it stored? – You need to consider whether your data is secure.
Where do you get it from? – Most of the time this will be from parents or from the staff.
How do you ensure it’s kept private? – Think about who can access the data, and whether any sensitive data is password protected or whether anyone in the nursery can see it.
Who do you share the data with? – This might be HMRC, other family members, or social care professionals.
What do you use the data for? – Perhaps you hold child information for development and safeguarding, and parent information for billing and communication.
Review your privacy notices
At the moment, you may be making a signed agreement with parents when you collect their information. This is usually just to let them know who you are and how you intend to use the information.
Now, you will also need to explain your lawful basis for processing the data, how long you will hold the data for, and that they have a right to complain to the ICO if they have a problem with how you’re handling the data.
For more information about precisely what the signed agreement or ‘privacy notice’ needs to include, the ICO has a helpful guide.
Make sure you’re in line with the current laws
Many of the main concepts and rules are similar to those in the current data protection act. There may be some other things you need to consider if you’re not sure you comply with the current laws. You can find out more about the current data protection laws here.
Putting someone in charge
It’s also a very good idea to put someone in charge of reviewing the policies and procedures in line with data protection. When the law comes in, you’re likely to have to assign someone as a data protection officer who is responsible for ensuring you’re following the GDPR.
It’s also a good idea to notify the owners, board or committee as they may decide to allocate finances or make changes to ensure they’re prepared for the GDPR.
It’s highly likely that you will need to review your policies and procedures in light of these changes and it’s important that you have someone directly in charge of this.
So, what’s going to change?
It’s worth noting that these laws are set up for businesses of all sizes, and many are much more relevant for bigger enterprises. Having said that, you still need to be able to handle all of the same requests regardless of your size.
So let’s have a quick look at exactly what will change once the law comes into place.
Personal data definition
The GDPR contains a more detailed definition of what ‘personal data’ is compared to the DPA. For childcare businesses, these changes won’t affect you much provided you’re following the the DPA right now.
One difference is that personal data now applies to both automated personal data and physical, manual filing where the data can be sorted and accessed. For example, chronologically ordered manual data now comes under the data protection laws.
The existing DPA covers a range of principles that cover your main responsibilities. However, the GDPR has added an entirely new principle, the accountability principle.
In essence, it’s about being able to demonstrate that you comply with other key principles. This involves maintaining some documentation on how you process This mostly won’t affect businesses smaller than 250 employees, but you still need to.
The right to obtain information
Under the GDPR, parents will have the right to access the information that you hold on them and confirmation that the data is being processed in the first place.
This is where your information audit is important. You must understand exactly what you are holding on parents so that you can provide it to them if you are asked to do so.
Individuals now have a right to have personal data corrected if it is inaccurate. If you have shared any of this data with third parties, it is also now your responsibility to inform them of the correction.
The right to be forgotten
Essentially, you must be able to delete or remove all data you hold on someone upon request, provided there is no compelling reason for you to continue to hold it.
These compelling reasons? Unlikely to be relevant. They are to do with the data being in the interest of archiving, public health or legal claims. As a nursery, the chances are that your parents will be allowed to withdraw their consent and insist that all data is removed
As a result, you need to make sure that the way in which you hold data allows you to do this.
Learn more about Famly
Find out below from Neil Leitch about the impact of Famly at the Early Years Alliance, and see what we can do for you in a personal demo.