The General Data Protection Regulation, or GDPR, went into effect in the UK on May 25, 2018. As of this writing, the

first lawsuits

under this new regulation have already been filed against Facebook and Google to the tune of USD 8.8 billion.

While these are multi-billion dollar companies that have come under the gun, it is prudent to consider how this law could change your nursery or childcare data intake and protection processes. Before this new law, information was regulated by the Data Protection Act of 1998.

The GDPR also replaces the Privacy and Electronic Communications Regulations of 2003. It goes without saying that much has happened in the information technology sphere in the 17 to 20 years since these laws were passed.

The practical implementation of the GDPR is not explicit in all areas. Do not allow these vagaries to delay your preparation to comply with the new law. There are several steps you can take to move along the path of compliance, even if you have started a little late.

First, let's take a look at the General Data Protection Regulation itself.

Defining GDPR

The General Data Protection Regulation is

built

upon six principles and provides a number of individual rights.

The regulation is based on the principles of fairness and lawfulness, purpose, adequacy, accuracy, retention, and rights.

The GDPR provides individual rights including the right to be informed, the right of access, and the right to erase (the right to “be forgotten”).

Other rights include the right to rectification, to restrict processing, to data portability, and the right to object.

Individuals also have rights concerning automated decision-making and profiling.

The GDPR regulates the use and access of personal data. Names, email addresses, postal addresses, telephone numbers, photos and bank accounts can be classified as

personal data

if there is a direct link from the data to more data stored elsewhere.

Children's data is considered personal data. The GDPR may require changes to the way you acquire, process, store, and share personal data.

The Lawful Basis for Processing Personal Data

The GDPR requires that you have a

lawful basis for processing personal data.

Without that legal basis, you risk regulatory and legal issues. Article 6 of the GDPR lists

six reasons

that are acceptable as a lawful basis; however, the Croner Group

recommends against

using

consent

as your sole basis, since the consent could be withdrawn for processing a child's data before you have completed processing all payments and subsidies for that child.

Steps to Prepare for Compliance with the GDPR in childcare settings

The following steps can help you determine where you need to update your policies and processes, as well as decide if you have personal data that you have no lawful basis for keeping. In which case, ask yourself why you have it and whether you really need it.

1. Data Audit

Your first step is to perform a data audit. Identify all the personal information you store on the children, their parents, and your staff. As you audit, note where each data point came from and who can access it.

Don't forget to include data you have on contractors, including accountants, cleaning and catering employees, and IT companies maintaining your systems.

Your audit need only include personal data, as that is the only data the law covers.

The storage method must include the type of security precautions are placed on the data.

Make a list of whom you share that data with, including family members and governmental institutions.

State why you hold the data, e.g., for billing purposes.

Make sure your audit includes both paper and digital records, and if you have a clear, functional purpose for storing a piece of data, reconsider requesting and keeping it.

Create an

Information Asset Register

with the data from your audit.

2. Data Protection Officer

Next, appoint a Data Protection Officer. It is not required of all organizations but is good practice. If you are a public authority or perform "large-scale processing” of special categories of data, you must have a Data Protection Officer.

Do not select the manager of the facility to be the Data Protection Officer as that could cause a conflict of interest. However, the officer should report directly to senior management. The officer ensures compliance with the GDPR, audits all personal data your organization holds, establishes and maintains the information asset register, and keeps staff informed of their responsibilities to the law.

The officer also performs the investigation in the case of a data breach.

3. Register with the Information Commissioner's Office

All organizations that process personal data are

required to register

with the Information Commissioner's Office.

4. Train all staff in your nursery or childcare centre

Everyone from the volunteers and staff to the board or committee members of your organization must complete awareness training and understand all of your organization's policies and procedures on data acquisition and storage, consent, and data sharing.

One crucial piece of training is teaching everyone how to password protect a document and how to use the secure email system if you have one.

5. Consent and Privacy Notices

Along with updating policies and procedures to comply with the new regulations, update and post your consent and privacy notices. Each notice should state the type of information you collect, who collects it and how, why it is being collected, and how it will be used. Also, note whom you share the data with and any effects on the individual, including complaints and objections.

6. Data Sharing Agreements

Establish data sharing agreements with any organization that has access to your data or with whom you share it. Consider the security of the method through which the data is shared. Encryption is required for anything sent electronically. Password protect electronic documents to ensure limited access.

Compliance with the General Data Protection Regulation is a requirement of every organization that handles personal data as defined by the law. All aspects of acquiring, storing, accessing, and sharing data must be considered as you audit the information you currently maintain and any you request from clients and staff in the future.

The impact of information technology on privacy concerns is a chief issue of the 21st century. The potential for a disastrous data breach increases with every piece of data we record. The new law seeks to enforce those practices proven to keep personal data private and to guide organizations in their use of this data.