On the 25th May 2018 the General Data Protection Regulation came into effect and became law which will impact all businesses including the Early Years sector. As providers we must be complaint with all new legislation that comes into force and we must meet the new requirements. It is a European law and includes the UK; this will remain in place even once we leave the EU. 

The GDPR has been brought in to reflect more modern times including the electronic process we use to collect and store data. It is also to give individuals greater control over their own personal data. However it is not just for those who use modern technology, the law affects any business which uses a highly structured filing system –in short any setting who needs to process and store away personal data as part of their responsibilities. Personal data includes any data which can identify a person including but not limited to; names, addresses, invoices, date of birth and email addresses. 

GDPR uses two terms, the controller and the processor. The controller determines the purpose and the means of personal data. The processor processes data on behalf of the controller. As providers we will always be one or both of these. 

The GDPR Principles are as follows: 

  1. Processed lawfully, fairly, and in a transparent manner. 

  2. Collected for specified, explicit, and legitimate purposes. 

  3. Adequate, relevant and is limited to what is necessary. 

  4. Accurate and where necessary kept up to date. 

  5. Retained only for as long as necessary. 

  6. Processed in an appropriate manner to maintain security. 

Lawfulness of Processing Data 

  1. Consent of the data subject 

  2. Processing is necessary for the performance of a contract with the data subject. 

  3. Processing is necessary for the compliance with a legal obligation. 

  4. Processing is necessary to protect the vital interests of the data subject. 

  5. Processing is necessary in the public interest or the controller has official authority. 

  6. Processing is necessary for the purposes and legitimate interests pursued by the controller or a third party. 

Consent 

All consent to collect or store data must be freely given. 
It should be unambiguous. 
Consent can be withdrawn at any time. 
Consent must now be freely given so pre ticked boxes will no longer be used; in short people must now be able to opt in rather than opt out. 

As providers we are already bound by the regulations set by the Information Commissioner’s Office (ICO) and pay our yearly fee to ensure all our data is protected by the laws of the country. 

Retention Periods 

This remains unaffected by the GDPR, and we must continue to store personal data for the specified length of time. We only hold what is absolutely by law required to keep, if we have other information you as the parents have the right to request it or request for it to be destroyed. Retention periods change so please get in touch if you would like to know what the current regulations are regarding retention of personal data. We also must ensure we keep up to date with the latest retention regulations. 

Any Data we collect must fall into one of the 6 Lawfulness of Processing Data categories. If it does not we can ask you for explicit consent, which you can withdraw from at any time. 
Of course there will be some Acts which we must adhere to over and above GDPR; one example of this is the Children’s Act. 

Data Breaches 

We will be obligated to notify the ICO of a data breach within 72 hours of becoming aware of the breach. We understand the huge fines in place for failing to follow correct procedures for a breach in data. 

I own this website and the images shown, I do not give anyone permission to copy photos or data and no images or data can be copied without my permission. 

I will use photos of the children on my website and Facebook page only with your permission. These photos will only be used to show examples of what activities or trips we do.