Preparing for the GDPR: What Your Nursery Can Do Now | Famly

Have you heard about the GDPR? There might have been whispers in the corridors, but few managers and owners know exactly what they new data protection laws will actually mean for their nursery.

So what are they? When do they come in? And what will you need to do to make sure you’re covered? Well, that’s what we’re here for.

What is it?

GDPR stands for General Data Protection Regulation. It’s an EU law that is set to replace the Data Protection Act (DPA) which was introduced in 1998. Both laws are all about how organisations can hold and process an individual’s personal data, but the GDPR is updated for the digital age.

When does it come into effect?

The GDPR will come into effect on 25th May 2018, so don’t worry, you’ve got plenty of time.

Does it apply to me?

It applies to anyone who collects or processes the personal data of EU citizens. So it will apply to your childcare business.

What can I do?

There’s a few things you can do right now to start preparing for the GDPR. And really, it’s mostly about this first one….

Work out the information you hold now

The most important thing you can do is to make sure that you know what personal data you hold on parents, children, and staff right now, as well as where it came from and who can access it.

You might need to organise an ‘information audit’ to do this. Essentially, this is completely running through all of the ‘information’ you hold, both digital and paper-based. If you don’t know the information you have already, it’s much more difficult to ensure it is all covered safely when the laws come into place.

For instance, you will now be required to share the information you collect on an individual if they request it. If you are not aware of what information you have, it’s going to be much more difficult to do this.

Here’s some of the things you need to be thinking about.

What data do you have? – This could be names and addresses, details relating to the free entitlement, health or religious information, or digital images.

How is it stored? – You need to consider whether your data is secure.

Where do you get it from? – Most of the time this will be from parents or from the staff.

How do you ensure it’s kept private? – Think about who can access the data, and whether any sensitive data is password protected or whether anyone in the nursery can see it.

Who do you share the data with? – This might be HMRC, other family members, or social care professionals.

What do you use the data for? – Perhaps you hold child information for development and safeguarding, and parent information for billing and communication.

Review your privacy notices

At the moment, you may be making a signed agreement with parents when you collect their information. This is usually just to let them know who you are and how you intend to use the information.

Now, you will also need to explain your lawful basis for processing the data, how long you will hold the data for, and that they have a right to complain to the ICO if they have a problem with how you’re handling the data.

For more information about precisely what the signed agreement or ‘privacy notice’ needs to include, the ICO has a helpful guide.

Make sure you’re in line with the current laws

Many of the main concepts and rules are similar to those in the current data protection act. There may be some other things you need to consider if you’re not sure you comply with the current laws. You can find out more about the current data protection laws here.

Putting someone in charge

It’s also a very good idea to put someone in charge of reviewing the policies and procedures in line with data protection. When the law comes in, you’re likely to have to assign someone as a data protection officer who is responsible for ensuring you’re following the GDPR.

It’s also a good idea to notify the owners, board or committee as they may decide to allocate finances or make changes to ensure they’re prepared for the GDPR.

It’s highly likely that you will need to review your policies and procedures in light of these changes and it’s important that you have someone directly in charge of this.

Inaccurate data

Individuals now have a right to have personal data corrected if it is inaccurate. If you have shared any of this data with third parties, it is also now your responsibility to inform them of the correction.

The right to be forgotten

Essentially, you must be able to delete or remove all data you hold on someone upon request, provided there is no compelling reason for you to continue to hold it.

These compelling reasons? Unlikely to be relevant. They are to do with the data being in the interest of archiving, public health or legal claims. As a nursery, the chances are that your parents will be allowed to withdraw their consent and insist that all data is removed

As a result, you need to make sure that the way in which you hold data allows you to do this.


Article by channel:

Read more articles tagged: GDPR