General Data Protection Regulation - Data Mayday

GDPR stands for General Data Protection Regulation. It is a new European Union (EU) law which will replace the UK Data Protection Act 1998 when it comes into effect on 25 May.

The new regulation will bring about significant changes to current data protection laws.

WHY SHOULD I CARE?

Data protection isn’t necessarily the most exciting aspect of early years provision, but it is an important one.

Protecting the personal data you hold (for example, about the children in your care, their parents/carers or your employees) is something that all early years providers should already be doing under current UK data protection rules.

However, GDPR will introduce a number of changes to these rules and so it is vital that your setting takes any steps needed to ensure that you are complying with this new regulation.

WHAT HAPPENS IF I DON’T COMPLY?

Under GDPR, any organisations that do not comply with the new rules may face a fine of up to 4 per cent of their annual global turnover, or 20 million euros – whichever is the highest. This is significantly higher than the current maximum penalty that the Information Commissioner’s Office (ICO) can issue, which is £500,000.

WILL GDPR DEFINITELY AFFECT ME?

Yes, any organisation that processes and holds the personal data of individuals (referred to under GDPR as ‘data subjects’) living in the EU will need to adhere to GDPR when it comes into effect, including early years providers.

IF GDPR IS AN EU LAW, WON’T IT STOP APPLYING ONCE BRITAIN LEAVES THE EUROPEAN UNION?

No, the Government has confirmed that it will bring GDPR into UK law after we leave the EU through a new Data Protection Act, which is currently making its way through Parliament.

This means that, with less than four months to go until GDPR comes into force, early years providers should now be planning how they will take the necessary steps to implement the new law’s requirements.

WHAT EXACTLY IS 'PERSONAL DATA'?

Under GDPR, personal data is defined as any information relating to an individual, whether it relates to his or her private, professional or public life. It can be a name, photograph, postal address, email address, bank details, medical information, identification number, location data or online identifier.

GDPR will apply to the collection and processing of personal data on manual filing systems, electronic devices and systems, and posts on social media.

SO WHAT WILL GDPR MEAN FOR ME IN PRACTICE? WHAT WILL I HAVE TO DO?

All early years providers will need to be able to show that they have the necessary processes in place to protect any personal data they hold, and ensure GDPR compliance. In practical terms, this is likely to mean that you will need to identify and document how you are holding personal data and for how long, implement additional data protection policies and procedures, and provide training for all staff involved in processing personal data.

Other things you will need to consider include:

Privacy notices You must communicate to individuals exactly how any collected data (for example, from parents and carers) is going to be used. Under GDPR, these notices must include your legal basis for processing this data as well as how long you intend to retain it. You’ll also need to let individuals know that they can withdraw their consent for you to hold the data at any time, and that they have the right to log a complaint with the ICO. This is much more than existing requirements.

Individual rights Under GDPR, individuals will have more control over how their data is used. This means that as a provider, you will need to, for example, explain to parents and carers how you plan to use their data, make any changes if that data is incorrect and agree not to process it if they ask you not to.

Consent Where you rely on consent for processing data you must be able to demonstrate that the consent was freely given. Pre-ticked boxes or inactivity will no longer suffice. People will have to actively opt-in. As stated previously, people can also withdraw consent at any time – this is likely to impact, for example, how you take and use photos of children.

Subject access requests – i.e. when an individual requests a copy of the information held about them: Under GDPR, if you receive such a request, you will need to respond within a month (down from the current 40-day limit) and, in most cases, will need to provide the information for free.

In addition, privacy impact assessments (assessments that identify and seek to minimise privacy risks of a new project or policy) and privacy by design (how to ensure data protection compliance from the start of a project, rather than adding it on as an afterthought at the end) are now legally required in certain circumstances – previously they were simply good practice tools.

The ICO has a useful and clear 12-step guide to preparing for GDPR, which contains more information (see below).

DO I NEED TO APPOINT A MEMBER OF STAFF TO DEAL WITH THIS?

Under GDPR, some larger organisations, such as larger nursery chains, may be required to appoint a specific data protection officer (who will have certain mandatory requirements). However, for smaller providers, having an individual who takes the lead on ensuring your setting is GDPR-compliant will be enough.

IS THERE ANYTHING ELSE I NEED TO CONSIDER?

If you use a third party to process personal data (for example, an email or cloud service provider), they will be a ‘data processor’ under GDPR and will also have obligations under the new rules. Other data processors will include payroll processors, cloud-based nursery management software suppliers and cloud-based children observation software suppliers.

It is your responsibility to ensure that any third party has taken the necessary steps to ensure that they too are meeting the requirements of GDPR and that they have provided you with sufficient guarantees of this.

FURTHER INFORMATION

• See the Pre-school Learning Alliance website: www.pre-school.org.uk/gdpr. The PLA has also developed online training, mini-guides and webinars.
• The ICO website – www.ico.org.uk – has in-depth information; its helpline for small businesses and charities is: 0303 123 1113.