Preparation for the GDPR (#2 of 12)

[FSFRebecca]

Following on from a forum question last week I thought it might be helpful to go through some of the issues that you might need to take into consideration in preparation for the GDPR that comes into effect next year.
I have been using this document as the basis of this piece: Preparing for the General Data Protection Regulation (GDPR). 12 steps to take now [ ICO. V.20 201700525]
Thing you need to know:

•  GDPR stands for: General Data Protection Regulation
• The new regulation comes into effect from 25th May 2018
• Much of it is the same as the current Data Protection Act requirements - however some things are different, and you need to know about them!

Something you need to do first: Work out who in your team will be able to help make sure you're compliant. It's probably good to have at least a couple of you working together so you can help each other out. 

You may also want to designate a Data Protection Officer. They will be able to advise you and check that you have done everything you need to. Not every setting will need this though - we'll come back to whether you do in post #11.

This is what early years settings might like to think about in preparation. 

• Use the '12 steps to take now' document to audit what they already do to meet data protection requirements. 
• Use the audit sheet to document the audit process
• Collate details from 'To Do' list - make action plan 
• Complete action plan!

This is #2 of 12 threads which will help you think about what you need to do to be ready for 25th May

2.    Information you hold

You need to be sure about exactly what data you are holding, why, and what you're doing to keep it secure. If you don't think it is secure, you need to think about what you can change so that it is. You also need to understand what, in terms of the GDPR, constitutes 'data', and especially what 'the special categories of data' are, because you'll need to pay particular attention to that. A rule of thumb to follow is ‘if it is possible to identify the person from the data, then it should be managed under GDPR'.

The GDPR defines personal data as: any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person;

It defines 'special categories', also known as 'sensitive data' as: personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, and the processing of genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning health or data concerning a natural person's sex life or sexual orientation.

It isn't a problem to have data, you just need to have the consent of the 'data owner' (the person it's about) and it must be clear to them what you are collecting and why.

In early years there are examples when data is not held securely locked away (for example when you have a children's name on a painting) so you might want to consider whether you need to display that data (e.g. can you put their name on the back and anonymise it instead) and what measures you have in place to protect that data (e.g. you have a door policy that says only people who need to come in nursery, can come in, and when they're in they won't be alone and have the opportunity to take things off the walls).

This is a spreadsheet that will help you think about the data you collect. It challenges you to think about what you collect, why you collect it and then what you do with it once you have collected it.

GDPR spreadsheet, link to resources page