Regardless of Britain’s plans to leave the EU, GDPR will still be a legal requirement for all organisations that hold personal data – Trevor Still, IT Lead at National Day Nurseries Association, explains what your setting needs to know…
A: GDPR stands for General Data Protection Regulation, which becomes law on 25 May 2018. It covers the management and control of personal information. Regardless of Britain’s plans to leave the EU, this will still be a legal requirement for all organisations that hold personal data of any type.
A: GDPR will replace the Data Protection Act 1998 and the Privacy and Electronic Communications Regulations 2003. It increases the obligations that companies have regarding personal data and focuses on rights for individuals. There is an emphasis on a more robust protection for individuals and higher penalties on organisations that fail to comply.
A: This is classed as any data that can be linked to a single person and can identify them. Examples include a name, email address, postal address, telephone numbers, bank accounts and photos. But just an email address is not personal data unless it can be directly linked to more data that is stored somewhere else.
>A: Yes it does. But it also provides an opportunity for nurseries to engage with parents and build up trust and loyalty. Let them know what measures you are putting in place and that you are ahead of the game regarding their personal details.
A: Although consent is a huge part of GDPR, as a nursery you have lawful obligations that require you to collect, process and store personal data. In order to comply with regulatory frameworks and inspectorates across the UK, there is a large amount of data that you must hold and maintain. These legal obligations override GDPR and therefore you do not need consent to collect certain data from your parents or children.
A: GDPR works around the principle of consent and assumes the automatic right of privacy to individuals. If you are holding anyone’s data, they need to give consent to this and agree with what you intend to do with it. You would need to inform them how long you intend to hold on to this data and for what purpose.
Individuals have the right to be ‘forgotten’ and can also object to some use of their own data.
A: All organisations that handle this type of data have to comply. Failure to do so can result in sanctions. Serious breaches can be penalised with fines of up to 20 million Euros or 4% of your annual turnover.
If you accidentally lose, destroy or share data, this is a breach. Sharing in this instance means giving unauthorised access to personal data. Any breaches must be reported to the Information Commissioner’s Office. Find out how to do this at ico.org.uk
A: It will mainly cost your setting in staff time – but you may wish to update your processes and systems, which could mean an investment.
A: It’s useful that everybody is aware of GDPR and what it means. All staff who handle data need to know more about the regulation. NDNA recommends that each setting appoints a lead person who is the designated data controller. They can work with all other staff who are designated as data handlers.
It’s also important that all staff can answer parents’ queries about how their data will be used and stored. Make sure you are clear about the benefits this will give and also your legal obligations regarding safeguarding the children.
A: The regulation becomes law from 25 May – settings must comply with GDPR from that date onwards. NDNA advises that businesses start planning now. Review what you are currently doing to comply with the existing laws and take it from there.
NDNA is running a series of face-to-face training courses on GDPR. Visit ndna.org.uk/events for dates and times. NDNA has also produced a fact sheet that sets out a 10-point guide on complying and includes sample communications to parents. This is now available in the online shop, which is free for members.