An introduction to what early years
settings, nurseries and childminders must do to comply with the General Data Protection Regulation (GDPR) which comes into effect in May 2018.
The General Data Protection Regulation (GDPR) is a new EU law that will
come into effect on 25 May 2018.
It will replace the current Data Protection Act 1998 and the changes will
remain in place even after the UK leaves the EU in 2019.
GDPR will give individuals greater control over their own personal
The Little Lambs setting have already
developed and implemented the following policies that align to the GDPR requirements and these are as follows.
LL-PL-058 Retention Policy.
Little Lambs are aware of these changes now and have identified any gaps
and has started to implement the relevant changes in order to be compliant by May.
Little Lambs and the GDPR
GDPR will condense the Data Protection Principles into six areas, which
are referred to as the Privacy Principles. They are:
Little Lambs have a lawful reason for collecting personal data and do it in a fair and transparent way.
Little Lambs only uses the data for the reason it is initially obtained.
Little Lambs does not collect any more data than is necessary.
Little Lambs ensures the the collation of data is accurate and has mechanisms in place to keep it up to date.
Little Lambs does not keep data any longer than is needed.
Little Lambs protects all the personal data.
These privacy principles are
supported by a further principle – accountability.
This means that Little Lambs setting
must not only do the right thing with data but must also show that all the correct measures are in place to demonstrate how compliance is achieved.
There is also an expectation that staff will be trained on data
protection. Documentation on policies, procedures and training is going to be a key part of any effective compliance programme.
Appointing a data protection
officer —Samantha Lamb is the appointed individual who takes the lead on data compliance.
Privacy notices —
When Little Lambs collects any data then we tell people exactly how we are going to use it, who we might share it with, how long we will keep it as well as information on consent and complaint.
Individual rights —
Parents and guardians will have new and enhanced rights on the collection, access and deletion of their data so i ensure that Little Lambs has mechanisms to allow individuals to exercise these
Consent — GDPR will
require that Little Lambs has a legitimate reason for processing any personal data. Where Little Lambs rely on consent for processing data I must be able to demonstrate that the consent was freely
given. Pre-ticked boxes or inactivity will no longer suffice. Parents and gardians will have to actively opt-in.
Data agreements —
Little Lambs will now be obliged to have written arrangements with anybody processing data for them. Little Lambs ensures that anyone processing data will meet GDPR requirements.
New projects — Data
protection will be incorporated into new projects and services at the development stage not simply as an after-thought.
Breach notification —
Little Lambs will be obligated to notify the Information Commissioner's Office (ICO) of a data breach within 72 hours of becoming aware of the breach.