🎁 Get 40% OFF on your prime annual plan for one year when you upgrade. Use code: Prime-Annual-Spring24 View offer >

After all the frenzy it set off with its arrival, the European General Data Protection and Regulation (GDPR) turned a year old on the 25th of May 2019. GDPR was intended to unify the existing data protection regulations put in place by the individual member states of the  European Union.

The legislation is aimed at helping organisations devise a detailed strategy to protect the personal data of EU citizens and safeguard any data that can be used to identify an individual.

For childcare businesses the data can range from the personal details and data of children (who are currently under your care as well as the students who have left your setting), their parents, guardians, emergency contacts, current and former employees, business contacts and even the candidates you may have interviewed for various job roles) as well as other sensitive and confidential information that you might have in your possession.

And, quite understandably, the road to compliance is not straightforward for many businesses, as GDPR requires a detailed strategy and collaboration with stakeholders as well as a long-term commitment and a practical, solutions-based approach for effective implementation.

Now, what can you do to appraise your childcare business is GDPR compliant, one year on?

1. Do an Annual Data Audit

Schedule an annual data audit to get a clear picture of the data you have, the reason why you have it, and how long you have had it for. If you haven’t done so already, document your justification for collecting, storing and processing the data. Verify if the data you hold falls under any of the following six legal bases, as set out by the GDPR:

  • Consent
  • Contract
  • Legal Obligation
  • Legitimate Interest
  • Public Interest
  • Vital Interest of Data Subject

If there are areas you are still unsure about, and you are unable to access expert advice, you can try the free data protection self-assessment tool-kit and Lawful Basis Interactive Tool from the Information Commissioners Office (ICO), as a first step.


3. Ensure all historical data is diligently managed.

If you’ve retained records of children or staff who are no longer at your setting, ensure you are up to date with the retention period of records in your country. In the UK, the general guideline for the retention for childcare records are as follows:

Retention Period of Documents

  • Children’s records including registers, medication records and accident records: The legal requirement is a minimum of 3 years after the child has left your setting or until the next Ofsted inspection after the child has left (whichever is sooner). However, as a person can claim for personal injury up to 6 years after an incident and the limitation rules are postponed till the child reaches 18 years of age (Limitation Act 1980), it is recommended that the records are ideally maintained till the child reaches 25 years of age.
  • Staff records: Personnel files and training records – 6 years; Applications, interview notes of unsuccessful candidates – 6 months-1yr
  • Pay records: Salary records, Statutory Sick Pay (SSP) and Redundancy Details – 6 years; Statutory Maternity Pay – 3 years; Income Tax and National Insurance – 3 years
  • Health and Safety records: Staff accident records – 3years. Any accident records as specified by Control of Substances Hazardous to Health Regulations should, however, be retained for 40 years from the date of last entry.
  • Financial records: All accounting documents should be stored for 3 years if you are a Private Limited Company, and six years if you are registered as a Charity or a Public Limited Company.
  • Administration records: Complaints records must be maintained for a minimum of 3 years, while insurance policies and minutes should be retained permanently.

The Early Years Alliance has a comprehensive document detailing the retention periods for records and the authorities concerned.

 Labelling and Deleting Documents

It’s acceptable to scan documents and store them electronically to save space, provided they are as legible as the original documents. However, when storing the documents digitally, it’s considered best practice to label the folders by their destroy dates rather than the name of the child/person. Also, remember to enable password protection for confidential documents. When it comes to paper documents, make sure all documents are disposed of securely using cross-cut shredders or appropriate confidential waste bins.


3. Make sure all consent forms are up to date.

Check all photo release forms, consents for learning journals and other consent forms you have collected from staff and students for non-legislative purposes are up to date.


4. Review your centre’s contact information.

Review your centre's contact information, including address phone number (s), email ids and ensure they are all current and up to date.


5. Have a clear email policy.

If you are not doing it already, make sure you have a clear email policy which all staff members are aware of. Ensure all staff members are aware of the procedure, as something as seemingly simple as failing to use BCC when distributing an email to multiple recipients can be a breach of GDPR, as it would mean the name and email of others in the list are shared with other recipients, without their consent. Check out this article on 5 ways your emails can breach GDPR.


6. Keep staff training and policies up to date.

Make sure all staff training and policies are up to date, and all members of your team are aware of any changes in policies or regulations on confidentiality, data protection and management or social media usage. Also, ensure you routinely review all passwords to ensure no accounts or security entry systems are vulnerable.

Still unsure if you are GDPR compliant? Try the free GDPR quiz from MediaPro.

Please note, this article does not provide an exhaustive list of GDPR compliance tasks and is intended as general guidance and not as legal advice. But we hope it gives you a general idea of the important areas to think about.


You Might Also Like:

GDPR for Nurseries and Out of School Clubs: How to Prepare for it

The Dos and Don'ts of Online Safety for Early Years


If you are struggling with record-keeping, find out how Cheqdin’s childcare software can help you record, manage and store your childcare records from sign in-out sheets, daily diaries to invoices all in one place. Get in touch with us to find out more.



Recent Comments