Preparation for the GDPR (#5 of 12)

[FSFRebecca]

Following on from a forum question I thought it might be helpful to go through some of the issues that you might need to take into consideration in preparation for the GDPR that comes into effect next year.
I have been using this document as the basis of this piece: Preparing for the General Data Protection Regulation (GDPR). 12 steps to take now [ ICO. V.20 201700525]
Thing you need to know:

• GDPR stands for: General Data Protection Regulation
• The new regulation comes into effect from 25th May 2018
• Much of it is the same as the current Data Protection Act requirements - however some things are different, and you need to know about them!

Something you need to do first: Work out who in your team will be able to help make sure you're compliant. It's probably good to have at least a couple of you working together so you can help each other out. 

You may also want to designate a Data Protection Officer. They will be able to advise you and check that you have done everything you need to. Not every setting will need this though - we'll come back to whether you do in post #11.

This is what early years settings might like to think about in preparation. 

• Use the '12 steps to take now' document to audit what they already do to meet data protection requirements. 
• Use the audit sheet to document the audit process
• Collate details from 'To Do' list - make action plan 
• Complete action plan!

This is #5 of 12 threads which will help you think about what you need to do to be ready for 25th May

5.Subject access requests

You should update your procedures and plan how you will handle requests within the new timescales and provide any additional information.

This aspect relates to a situation where a data subject (e.g. a member of staff, a parent or a parent on behalf of their child) asks to access the data you are holding about them. You should get back to them as soon as possible (don’t delay!), and within a month at the most. If the request is particularly complicated or you’ve had numerous requests, and you cannot give them access within that month you must write to them and tell them and then ensure that they can access their data within a further two months. You cannot charge anyone for this, unless the request is ‘manifestly unfounded, excessive, or repetitive’, which you would need to prove, and if you do charge, you can only charge a reasonable fee, which needs to be based on how much it cost you to provide the information.
You must tell the data subject the not only the category of the data (e.g. their home telephone number) but also the actual data (e.g. the child's enrolment form), who you share it with, how long you’ll keep it for, and if it’s being used to make any automated decisions about the data subject. The data list you collected in #2 will be invaluable here!
There are exceptions though. You don’t have to provide information that relates to another identifiable person or anything that may impact the rights and freedoms of others (e.g. it might not be appropriate to reveal details about an ongoing investigation into a safeguarding concern) and if the request is ‘manifestly unfounded, excessive, or repetitive’ you can refuse it, but you do need to tell them why and that they have the right to complain to the ICO. For settings, if a parent is making a SAR about their child, it’s also important to think about whether the child could understand the data themselves – if so you should respond to the child instead.

If they have made the request electronically e.g.by email, you do need to provide the information in an electronic way too, even if you usually store that data on paper.