Jump to content
About Us

Preparation for the GDPR (#4 of 12)


Recommended Posts

Following on from a forum question I thought it might be helpful to go through some of the issues that you might need to take into consideration in preparation for the GDPR that comes into effect next year.
I have been using this document as the basis of this piece: Preparing for the General Data Protection Regulation (GDPR). 12 steps to take now [ ICO. V.20 201700525]
Thing you need to know:

  • GDPR stands for: General Data Protection Regulation
  • The new regulation comes into effect from 25th May 2018
  • Much of it is the same as the current Data Protection Act requirements - however some things are different, and you need to know about them!

Something you need to do first: Work out who in your team will be able to help make sure you're compliant. It's probably good to have at least a couple of you working together so you can help each other out. 

You may also want to designate a Data Protection Officer. They will be able to advise you and check that you have done everything you need to. Not every setting will need this though - we'll come back to whether you do in post #11.

This is what early years settings might like to think about in preparation. 

  • Use the '12 steps to take now' document to audit what they already do to meet data protection requirements. 
  • Use the audit sheet to document the audit process
  • Collate details from 'To Do' list - make action plan 
  • Complete action plan!

This is #4 of 12 threads which will help you think about what you need to do to be ready for 25th May

4. Individual rights

The GDPR gives people who are having their personal data processed ‘Individual Rights’. These are laid out in the post below, hopefully, in quite clear terms. The ICO also have posts about these which are worth a read! You can find them here:


1.       Right to transparency

When you talk to someone about the data you are holding about them, and in any other communication generally, make sure you are clear and easy to understand. Try not to use any jargon or any confusing language. It should all be provided in writing but can also be provided orally if the person requests it and if you’re sure you are speaking to the correct person.

2.       Right of access

Everyone who you have data on has a right to know about it. You should be able to show them the data collected at #2 in these posts and tell them about it.

3.       Right to rectification

Rectification means ‘put right’. So, the people you are collecting data on have the right to correct any incorrect information about themselves that you’re processing, and the right add to any data if they think that it’s missing bits, including by adding their own statement.


4.       Right to erasure

Erasure means ‘delete’. This is also known as the right to be forgotten. If the data is no longer needed for the initial purpose it was collected for, you (the controller) need to delete it. You should do that regardless of whether the data subject asks you to, but they may ask you to do it anyway. The data subject can also ask for it to be deleted at any point if you’ve collected it based on their consent and if you can’t prove that you have a legitimate need for it (a real reason that you need the data e.g. to contact them in an emergency) you must delete it. If you have shared it with anyone else, including other companies/software, you also need to tell them that the data needs to be deleted too.  


 5.       Right to restriction of processing

This involves you (the controller) continuing to hold onto the data but to no longer processing it in any other way (including deleting it). You will need to do this while you verify the data is correct if the data subject says it isn’t, whist you verify there is a legitimate need to process it, if the data subject objects, if you have been processing it unlawfully and the data subject doesn’t want you to delete it straight away, or if it’s no longer needed for its original purpose but if it is needed to aid some kind of legal claim.


 6.       Right to data portability

If requested, you need to provide any personal data to the data subject in a machine readable, commonly used, and structured way when the data has been collected based on consent, or because of a contract. This means that you need to be able to send the data by computer, so, for example, in a CSV file (an excel sheet). You also need to transfer that data to another controller if it is technically possible.

7.       Right to object

If a person asks you to stop processing their personal data, unless you have compelling legitimate grounds (i.e. grounds that override the rights and freedoms of the individual) for doing so, you must stop. So for example, you wouldn’t have to stop recording safeguarding concerns if the person who was causing the concern asked you to stop.

 All of these rights should be provided free of charge and within a month (this can be extended up to 2 months if you have a really good reason).

8.       Right to complain

This isn’t technically one of the individual rights, but you do need to inform the data subjects that they have all the above rights and the right to complain to a supervisory authority (the ICO).


  • Like 1
Link to comment
Share on other sites


  • Create New...

Important Information

We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue. (Privacy Policy)