GDPR General Data Protection Regulation

[enuffsenuf]

I am aware of a new regulation coming in next year and am suddenly being bombarded by companies wanting to sell me all sorts of wonderful stuff to help us through the new requirements.     We are of course already registered for data protection etc.    Does anyone know if we will automatically be contacted to formally register for this?  Or is it just something we have to comply with.    

[louby loo]

Well I'm going to be honest here and say I don't really know the correct answer, however going by what I've seen on our LA website I think we just need to be registered with the ICO - which we have been doing for many years anyway.

Whether or not the ICO are going to hike up their prices is another story though.

[FSFRebecca]

At our nursery we are starting with a data audit:

• what data are we keeping?
• Why are we keeping it?
• Do we keep it securely?
• Who has access to it?
• Does the person who the data is about know what we are keeping and why?
• Are we keeping it for an appropriate amount of time?

We intend to collect the details from the audit and then check that it complies with ICO best practice, we will then write to our parents and remind them what we are doing and why. We will also check that the companies that store data for us, e.g. Tapestry, our LA, our management system company for example are all also compliant. We might need to tweak some policies or put new procedures in place e.g. a "clear desk policy" which basically means that when people finish work they clear eveything away and lock it up if necessary. This is a useful documents that might help you https://ico.org.uk/for-organisations/education/

It doesn't come into effect until May 2018, so there is time!

[finleysmaid]

having spoken to a data manager about this they are suggesting that at the moment there should be no need for us to do (or change ) anything. An audit like Rebecca suggests is probably sensible for larger organisations, but as a 'small' data holder it is unlikely that anything other than ICO guidelines will need to be put in place. There should be NO need for anyone to pay for any services and the person I spoke to laughed and said it would be very tricky for them to charge you for anything because at present they wouldn't know WHAT you will need to do!! She warned that there were lots of companies trying to persuade people to let go of their money!!! The ICO are in charge of the new rules ...I am sure as long as you are registered with them that they will give further guidelines...for free...if needed!

[FSFRebecca]

On 11/7/2017 at 18:14, finleysmaid said:

having spoken to a data manager about this they are suggesting that at the moment there should be no need for us to do (or change ) anything. An audit like Rebecca suggests is probably sensible for larger organisations, but as a 'small' data holder it is unlikely that anything other than ICO guidelines will need to be put in place. There should be NO need for anyone to pay for any services and the person I spoke to laughed and said it would be very tricky for them to charge you for anything because at present they wouldn't know WHAT you will need to do!! She warned that there were lots of companies trying to persuade people to let go of their money!!! The ICO are in charge of the new rules ...I am sure as long as you are registered with them that they will give further guidelines...for free...if needed!

I agree, we're not paying anyone to do something we can do ourselves! Once we know more I'll make sure it's posted on here 

[enuffsenuf]

Thank you ladies/gents etc.   Phew thought I had missed something but we seem to be on the same page,   I kept being bombarded by companies wanting to help me through things (for a small fee of course)......I like the idea of an audit though just in case I get asked for something official by someone .   Thank you all

 

[FSFRebecca]

Watch this space .... I'm writing a guide with instructions and things to think about to help steer your thoughts - we can't ignore it, but we can definitely help you make it manageable. Hopefully we will have something on FSF site by the end of the week. Panic not friends, we're on it 

[FSFRebecca]

The first piece (of 12) has been posted now  It's in this new forum area: GDPR 

[PaseyLtd]

Hi all - have been following this topic with interest and also the instalments you've been adding Rebecca - thanks very much.

Just wondered what your thoughts were regarding displaying names which at nursery are everywhere from coat pegs, artwork to birthday boards!  I am thinking along the lines of adding a line to registration forms permitting the child's name to be used for display purposes within the nursery - gaining consent - do you think this would be compliant?

On a personal level I think it's crazy as many of the parents know the names of many of the children within the nursery anyway and so displaying names isn't telling them information that most of them don't already. 

Would appreciate your thoughts though!

Thanks in advance.

[hopeytg]

PaseyLtd - we use photo's for the children's pegs but don't put their names on, we were advised this would be good practice as technically they could be seen through the front door (you'd have to have very good eyesight but still a possibility)  The only place we have their names with a photo is on their self registration labels and they are not visible from outside. Not sure if this helps and agree the parents know the other children's names anyway but I suppose it reduces the risk.

[FSFRebecca]

20 hours ago, PaseyLtd said:

Hi all - have been following this topic with interest and also the instalments you've been adding Rebecca - thanks very much.

Just wondered what your thoughts were regarding displaying names which at nursery are everywhere from coat pegs, artwork to birthday boards!  I am thinking along the lines of adding a line to registration forms permitting the child's name to be used for display purposes within the nursery - gaining consent - do you think this would be compliant?

On a personal level I think it's crazy as many of the parents know the names of many of the children within the nursery anyway and so displaying names isn't telling them information that most of them don't already. 

Would appreciate your thoughts though!

Thanks in advance.

We have talked about that issue here too. The requirement is that you take 'reasonable measures'. I think that if you tell parents how their child's name will be used (ie to identify painting, pegs etc) and you take steps to secure the location i.e that you control who comes in and out of your setting then that is 'reasonable'. I can't see what else you can 'reasonably' be expected to do ...

[PaseyLtd]

Thanks Rebecca, I have just completed the introductory level training on the virtual learning site which gives a short intro to the key changes and I have found useful.  I am going to look at all of the data we collect, why we collect it, how/where we store it, who we send it to (if we send it anywhere) and also the wording of the consent on each form.  The term 'explicit consent' is used so I'm hoping it's just a case of checking that wording is explicit enough and privacy notices comply!  Registration with the ICO is already in place so I'm hoping any changes will be minimal!!

 

Edited January 21, 2018 by PaseyLtd

[finleysmaid]

On ‎16‎/‎01‎/‎2018 at 09:12, Rebecca said:

We have talked about that issue here too. The requirement is that you take 'reasonable measures'. I think that if you tell parents how their child's name will be used (ie to identify painting, pegs etc) and you take steps to secure the location i.e that you control who comes in and out of your setting then that is 'reasonable'. I can't see what else you can 'reasonably' be expected to do ...

surely as long as there are no links to surnames then this is just a list of names? as long as names cannot be linked with any data then this should not be a problem??

we hire our hall out..i couldn't possibly remove all the coat pegs each time. However we do remove any paperwork that might give links to any private information (allergy lists/registers/planning etc etc)

[FSFRebecca]

The GDPR, taken to the letter, refers to any personal data- so your names would constitute data. Potentially, the child could be identified - someone has their name, they know where they go to nursery etc. However, you are absolutely right that you cannot remove coat peg names every day. That is where the 'reasonable' comes in and where the importance of 'consent' is applied. I.e. If parents know that this is what you do, and agree to it, then it's not a problem.

[C1403]

My goodness. This seems a complete minefield. 

Something to go on my to do list with manager! 

 

[FSFRebecca]

Use our step by step guide - I did it at our nursery - the manager had it for a week, I had it for a week and our accounts person had it for a week and then we made a 'to do' list - which are working through at the moment. It took a month to do the 'audit', we have allowed a month to make changes to policies and procedures and then a month to let parents know of changes and deal with questions. Bags of time if you are organised 

[Panders]

There's an article this week in Nursery World regarding GDPR, strangely, thought I understood it until I read that article.   Will have to take another look at it all, sure it's a lot simpler than they are alluding to, as we are such a small pre-school.

[Rachel30]

On 07/11/2017 at 18:14, finleysmaid said:

having spoken to a data manager about this they are suggesting that at the moment there should be no need for us to do (or change ) anything. An audit like Rebecca suggests is probably sensible for larger organisations, but as a 'small' data holder it is unlikely that anything other than ICO guidelines will need to be put in place. There should be NO need for anyone to pay for any services and the person I spoke to laughed and said it would be very tricky for them to charge you for anything because at present they wouldn't know WHAT you will need to do!! She warned that there were lots of companies trying to persuade people to let go of their money!!! The ICO are in charge of the new rules ...I am sure as long as you are registered with them that they will give further guidelines...for free...if needed!

So would you say it’s best just to hold tight and see what else is said , I run s small Playgroup 

[FSFRebecca]

9 hours ago, Rachel30 said:

So would you say it’s best just to hold tight and see what else is said , I run s small Playgroup 

Absolutely NOT, you must make sure you are compliant. Please don't just wait and see. You do not need to pay anyone to do anything, we have written a 12 step plan to follow - you will need to start now. If you have a small playgroup, it won't take you long! This is the thread GDPR #1, it goes up to #6 at the moment and will go up to #12.

[finleysmaid]

On ‎14‎/‎02‎/‎2018 at 23:51, Rachel30 said:

So would you say it’s best just to hold tight and see what else is said , I run s small Playgroup 

Hi Rachel...this post has been running for a while and info has changed in the past few weeks. I would read the info put out from the government and make sure you are up to date. Have you registered with the ICO? and do you have an 'officer' in charge of data?

Levels of data collection will change depending on the size of your business and it can be tricky to decipher what you need to do so looking at it now so you know what you hold and why is important.

[Rachel30]

Thank you