You must have heard about the GDPR. It’s the new data protection law that will come into effect from the 25th of May 2018 and will apply to anyone who collects or processes the personal data of EU citizens. So, even if you are a small nursery, out of school club or childcare provider with a few children and a couple of staff, GDPR will apply to your childcare business as well. And in case you are wondering, Brexit does not affect the GDPR in any manner, and all UK businesses will need to comply with the new law. In this blog, we'll discuss GDPR for nurseries, what the changes mean for your setting and how you can prepare for it.
In many ways, the GDPR simply updates existing European law, which has been in force in the UK since 1998 as the Data Protection Act. In the electronically connected world that we live in today, it’s, in fact, crucial to give individuals various rights concerning the way their personal data is handled. Moreover, it’s always worth remembering that each of us, as well as being involved in some form of business or other, is also an individual with those same rights.
What can my childcare business do to become compliant?
First of all, there is no shortcut to compliance. However, the good news is - there is no need to panic.
The new law is here to help you protect your business’s, customers’ and employees’ data and contrary to a lot of alarmist propaganda, enforcement is not going to come marching to your doors on the 26th to slap you with a fat fine for not being compliant. All that deal about the £17 million fine or 4% of your turnover is meant for the systematic rule-breakers.
The main aim of GDPR is to put in as much security measures and processes in place to ensure that your business is conducted securely while being compliant with the new standards of this day and age.
However, remember not to fall into the trap of assuming that you can achieve compliance by making improvements to your cybersecurity. It is only one of the many steps in the process but is a great place to start your journey towards compliance. Most small businesses believe that cybersecurity measures will prevent data security problems. This is not the case. There is much more to security than just prevention, and that is true of complying with the GDPR as well. What is required is a practical approach to compliance, which would necessarily encompass the various aspects of prevention, technology, process and people.
Where do I start?
There are many helpful resources online which can provide guidance on the right path to compliance. The UK government’s GDPR toolkit for nurseries and preschools is a great source to start your preparation. Then there is the Information Commissioner's Office (ICO) guide on the GDPR which is a living document and is regularly updated. You might also want to take a look at Preparing for the (GDPR) 12 steps to take now. The Department for Education Video: GDPR Guidance for schools explains how you can review and improve your handling of personal data. Check out another read from the NDNA - National Day Nurseries association in the UK.
What can I do?
Now that you have gone through the resources which detail on what is required to comply with the new regulation, you can start preparing straight away for the GDPR. A robust compliance checklist for the GDPR would comprise the following:
Understanding your data: Make sure that you know what personal data you hold on parents, children and your staff in your setting. What is the information flow (where did it come from) and who can access this information? You can start by doing an information data flow mapping exercise. Remember that this does not only apply to information that you hold electronically, but it also applies to paper-based information that you keep in your setting. Knowing your data would inherently involve understanding (a) What data you have, (b) How is it stored? (c) Where did it come from? (d) How to keep it safe and private? (e) Do you share the data with anyone? (f) What do you use that data for?
Manage and mitigate risks to your nursery: This merely means that measures implemented in your childcare setting must take into account the level of security that is appropriate to the risk/threat. As a data controller, your responsibility lies in identifying and understanding those risk levels. Security measures that are risk-based ensure that priorities are established, and decisions are made through a process of evaluating data sensitivity, system vulnerability and threats based on its likelihood to happen. Risk assessment is a critical component of understanding your current position and is quintessential for coming up with a plan that would be compliant with the GDPR.
Implement comprehensive policies and procedures in your setting: Reviewing your privacy notices or policy is an excellent place to start. For example, the personal information you collect from parents, staff et cetera while making agreements or contracts. Now you will also need to explain your lawful basis for processing the data, how long you will hold the data for and so on and so forth.
Put in place appropriate and effective controls: This translates to nothing but the technical controls that you can put in place with regards to data management and its security, monitoring the controls, detection, response and corrective actions by way of remediation.
Put together an effective incident response procedure and plan: In the event of a data breach, your childcare setting should have the ability to respond in an organised manner. Having a proper process and incident response plan is vital in managing serious consequences such as closing your business, lost sales, damage to reputation, penalties etc. If you can detect an incident, make sure you know how you are going to respond to that incident, whom to get involved, whom to inform including your customers, business owners, local authorities etc. All of this would be possible only if a clear process is defined. Make sure that it is not just defined, developed and end up on paper alone, but is also implemented and tested to ensure that it works.
Remember that there is much work to be done and that your journey towards compliance does not end here. In fact, this is only the beginning but an excellent way to have your setting work its way towards compliance. After all the best way to ensure that your setting remains compliant and continually improves is by regularly testing, operating and managing the security measures, policies and procedures that you have put in place.
Please note, this article is provided as general guidance and does not constitute any legal advice. We do not recommend any specific product or solution as there is no one size fits all policy, procedure or controls and each childcare provider should ideally evaluate their individual circumstances before choosing the right solution for their childcare setting.