The General Data Protection Regulation, or GDPR, went into effect in the UK on May 25, 2018. As of this writing, the first lawsuits under this new regulation have already been filed against Facebook and Google to the tune of USD 8.8 billion.
While these are multi-billion dollar companies that have come under the gun, it is prudent to consider how this law could change your nursery or childcare data intake and protection processes. Before this new law, information was regulated by the Data Protection Act of 1998.
The GDPR also replaces the Privacy and Electronic Communications Regulations of 2003. It goes without saying that much has happened in the information technology sphere in the 17 to 20 years since these laws were passed.
The practical implementation of the GDPR is not explicit in all areas. Do not allow these vagaries to delay your preparation to comply with the new law. There are several steps you can take to move along the path of compliance, even if you have started a little late.
First, let's take a look at the General Data Protection Regulation itself.
Related course: Level 5 Diploma in Leadership for the Children and Young People's Workforce - Early Years (Management) QCF
Defining GDPR
The General Data Protection Regulation is built upon six principles and provides a number of individual rights.- The regulation is based on the principles of fairness and lawfulness, purpose, adequacy, accuracy, retention, and rights.
- The GDPR provides individual rights including the right to be informed, the right of access, and the right to erase (the right to “be forgotten”).
- Other rights include the right to rectification, to restrict processing, to data portability, and the right to object.
- Individuals also have rights concerning automated decision-making and profiling.
The Lawful Basis for Processing Personal Data
The GDPR requires that you have a lawful basis for processing personal data. Without that legal basis, you risk regulatory and legal issues. Article 6 of the GDPR lists six reasons that are acceptable as a lawful basis; however, the Croner Group recommends against using consent as your sole basis, since the consent could be withdrawn for processing a child's data before you have completed processing all payments and subsidies for that child. Related course: Level 5 Diploma in Leadership and Management for Residential Childcare (QCF)Steps to Prepare for Compliance with the GDPR in childcare settings
The following steps can help you determine where you need to update your policies and processes, as well as decide if you have personal data that you have no lawful basis for keeping. In which case, ask yourself why you have it and whether you really need it.1. Data Audit
Your first step is to perform a data audit. Identify all the personal information you store on the children, their parents, and your staff. As you audit, note where each data point came from and who can access it. Don't forget to include data you have on contractors, including accountants, cleaning and catering employees, and IT companies maintaining your systems.- Your audit need only include personal data, as that is the only data the law covers.
- The storage method must include the type of security precautions are placed on the data.
- Make a list of whom you share that data with, including family members and governmental institutions.
- State why you hold the data, e.g., for billing purposes.