Jump to content
Home
Forum
Join Us
Articles
About Us
Tapestry

Preparation for the GDPR (#10 of 12)


Lauren
 Share

Recommended Posts

Following on from a forum question I thought it might be helpful to go through some of the issues that you might need to take into consideration in preparation for the GDPR that comes into effect next year.
I have been using this document as the basis of this piece: 
Preparing for the General Data Protection Regulation (GDPR). 12 steps to take now [ ICO. V.20 201700525]
Thing you need to know:
•    GDPR stands for: General Data Protection Regulation
•    The new regulation comes into effect from 25th May 2018
•    Much of it is the same as the current Data Protection Act requirements - however some things are different, and you need to know about them!
Something you need to do first: Work out who in your team will be able to help make sure you're compliant. It's probably good to have at least a couple of you working together so you can help each other out. 

You may also want to designate a Data Protection Officer. They will be able to advise you and check that you have done everything you need to. Not every setting will need this though - we'll come back to whether you do in post #11.
This is what early years settings might like to think about in preparation. 
•    Use the '12 steps to take now' document to audit what they already do to meet data protection requirements. 
•    Use the audit sheet to document the audit process
•    Collate details from 'To Do' list - make action plan 
•    Complete action plan!
This is #10 of 12 threads which will help you think about what you need to do to be ready for 25th May and is about data protection by design.

 Data Protection by Design and Data Protection Impact Assessments

This is the idea that keeping data secure and being aware of the potential risks of having it should be an integral part of your process when it comes to collecting and storing data. So, a couple of the things you need to think about are; if there was a breach how big of an effect could it have on the person it’s about, and how likely is a breach when considering how you’re planning to store the data.

For example, lets take a child’s name on their peg.

How severe would the impact of that be: If someone who shouldn’t be in your setting saw the child’s name, the impact of that would be quite minor. They would know that a child with that name went to your setting, but there isn’t a lot they could do with that data alone.

How likely is a breach: It wouldn’t be easy for someone to walk in off the street because the doors are locked outside of opening times and visitors are monitored and need to have a legitimate reason to come in. It’s quite likely that someone who doesn’t need to know each child’s name will come in and see it (e.g. cleaners), but the chance of them doing something with the data that would cause the child harm is very low, and the harm they could do is also low, so you may decide that no action is needed. Equally though, if you have both their first and surname on the peg, you may decide that you only need the first name.

The action there would be an example of data minimisation, which is something you should try to do as much as possible – that basically just means only use/store the data if you must in order to do what needs to be done. In my example above, you need to know which peg belongs to each child, but you can know that from their first name and maybe one letter of their surname, rather than their full name.

Thinking about this sort of thing and writing it down, is called doing an ‘data protection impact assessment' (DPIA). The ICO have a template for a DPIA which might be useful for you to have a look through, you can find that here.

If you’ve been following the posts we’ve been making, you may have already done most of one of those using the excel document we provided in #2 of 12. To add to that though, you should have a think about how the data subject might be negatively affected (economically or socially) by a breach and consider how well you’re securing the data, as described above. Do you think you think what you’re doing right now is secure enough? If not, you need to come up with some ways to change that.

As well as meaning you are following the law, doing this will help to reduce the chances of breaches, which are bad for your business as well as for the data subjects themselves!

Another thing that is good for you to think about as part of this, is restricting access to data to those who need it. I don’t think there would be much I could reasonably/would be willing to do to further restrict who could potentially see the names on my pegs, but other bits of data might be kept in a shared folder on a computer. If I felt that not everyone who has access to that computer/shared drive needs to see that data, I could move the folder to a computer only certain people have access to and password protect that document. 

  • Thanks 2
Link to comment
Share on other sites

 Share

×
×
  • Create New...

Important Information

We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue. (Privacy Policy)