1. Early Years Providers Data Protection Seminar
Stephen Dorrian
Senior Lawyer HBPL
15 May 2018

2. Privacy Concerns

3. What Privacy ?
Social Media

4. What’s it All About?
Significant advancements in the field of information and communication technology and the growth in network interoperability (such as the internet, globally distributed corporate networks and the cloud) have radically increased the ease with which data may be collected, transmitted, stored, manipulated and, most importantly, disseminated.
These developments, together with a general increase in awareness of fundamental rights, particularly the right to privacy, have led to legislative changes and the emergence of a new regime of privacy protection.
The reform was intended to respond to new technological challenges and to put in place a harmonised framework for the protection of personal data

5. Some Important Points
Applies only to personal information
Both automated and manual filing systems
Freedom of Information Act unaffected
GDPR places obligations on data controllers and data processors
Subject to exemptions gives individuals rights over how their information is used

6. The Data Protection Act 1998 GDPR adopted May 2016
Introduction
The Data Protection Act 1998
GDPR adopted May 2016
Directly applicable in all EU member states on 25 May 2018
Post Brexit – will remain in force
Data Protection Bill September 2017
Will become The Data Protection Act 2018
Evolution not Revolution
ICO remains the Supervisory Authority
Data Protection Bill – 194 clauses and 18 Schedules
The GDPR will become directly applicable before the UK leaves the EU (scheduled for 29 March 2019). Once the UK leaves the EU it will become a "third country" for the purposes of personal data transfers from the EU. It will be required to have an "adequate" level of data protection to that of the EU so that personal data transfers from the EU to the UK can continue to take place. The government has confirmed that the UK will implement the GDPR

7. New ‘Accountability’ principle Privacy ‘by design’ and ‘by default’
What’s New ?
New ‘Accountability’ principle
Privacy ‘by design’ and ‘by default’
Data Protection Impact Assessments
Data Protection Officers
Mandatory requirements in contracts
Enhanced rights for individuals
No fees and shorter response times
Mandatory reporting of serious breaches
The obligation to notify the supervisory authority is replaced with the data controller's "accountability" obligation to demonstrate compliance with the data protection principles
Privacy impact assessments required for high risk processing of personal data.
Mandatory requirements must be included in contracts with ‘processors’
Fees abolished and shorter time for compliance with requests

8. Data Controllers and Processors
There are two main roles under the GDPR: the data controller and the data processor
You will be data controllers when you collect data about the child and their family directly
You will be data processors when you receive data from others
If you contract with a company to process your data then they will be the data processor
The two roles have some differences but the principles of GDPR apply to both.

9. Data Protection Principles
You must have a lawful reason for processing personal data and must do it in a fair and transparent way
You must only use the data for the purposes stated when you collected it
You must not collect any more data than you need
It has to be accurate and there must be mechanisms in place to keep it up to date
You cannot keep it any longer than needed
You must protect the personal data with appropriate security measures
Under the GDPR the data protection principles set out your main responsibilities

10. Accountability Principle
You must be able to demonstrate and evidence compliance with these principles
Records of Processing - you must have documents and processes in place to demonstrate that you are following the regulations and ensuring the safeguarding of the data that you hold

11. Demonstrating Compliance
Data protection policies
Privacy Notices
Technical/organisational security measures
Security Breach Management
Staff training
Internal audits of processing activities
Must maintain documentation on processing
Data Protection Impact Assessments
Data Protection Officers
Article 5 of the GDPR requires a data controller to both:
•Comply with six principles when processing personal data (Article 5(1)).
•Demonstrate compliance with all six of the principles (Article 5(2)).
In addition to Article 5(2), Article 24(1) of the GDPR also requires a data controller to demonstrate that data processing activities comply with the GDPR's requirements. Articles 5 and 24 together form the concept of accountability under the GDPR, which is a key element of the regulation.
The obligation to demonstrate compliance replaces the obligation to notify local data protection authorities of processing activities, which is a requirement in the EU Directive and its local implementing laws in several EU member states. As part of demonstrating compliance, the GDPR requires data controllers to maintain a record of processing activities

12. Your identity and contact details
Privacy Notices (1)
When you collect data you must provide the data subject with the following information in a concise, transparent, intelligent and easily accessible form, using clear and plain language:
Your identity and contact details
Contact details of your representative or data protection officer (if applicable)
The purposes and legal basis for processing
The recipients or categories of recipients of personal data
Under the GDPR the data protection principles set out our main responsibilities

13. How long you will hold the data The data subject's rights
Privacy Notices (2)
How long you will hold the data
The data subject's rights
Where processing is based on consent the right to withdraw that consent at any time.
The right to lodge a complaint with the ICO
Where there is a statutory or contractual requirement to provide personal data the obligation to do so and the consequences of a failure to do so.
Under the GDPR the data protection principles set out our main responsibilities

14. Privacy Notices (3)
The categories of personal data obtained and the source of the personal data (if the personal data is not obtained from the individual it relates to, e.g. personal data you might obtain from the DfE or the council)
The details of transfers of the personal data to any third countries or international organisations (if applicable).
Under the GDPR the data protection principles set out our main responsibilities

15. Lawful Processing Conditions
To perform a task in the public interest or the exercise of official authority
Consent of the data subject
To enter or perform a contract
To comply with a legal obligation
To protect the vital interests of anyone
Legitimate Interests
consent is unlikely to be freely given where the data controller is a public authority. In keeping with previous practice, it probably also continues to be unlikely that consent can be freely given by employees to their employers' data processing activities

16. Consent is one lawful basis for processing but there are alternatives
The GDPR sets a high standard for consent
Consent requires a positive opt-in. Don’t use pre-ticked boxes or any other method of default consent.
Individuals must be able to withdraw consent at any time
consent is unlikely to be freely given where the data controller is a public authority. In keeping with previous practice, it probably also continues to be unlikely that consent can be freely given by employees to their employers' data processing activities

17. Contract
You can rely on this lawful basis if you need to process someone’s personal data:
to fulfil your contractual obligations to them; or
because they have asked you to do something before entering into a contract (e.g. provide a prospectus)
consent is unlikely to be freely given where the data controller is a public authority. In keeping with previous practice, it probably also continues to be unlikely that consent can be freely given by employees to their employers' data processing activities

18. This does not apply to contractual obligations
Legal Obligation
You can rely on this lawful basis if you need to process the personal data to comply with a common law or statutory obligation
This does not apply to contractual obligations
Identify the specific legal provision or an appropriate source of advice or guidance that clearly sets out your obligation
consent is unlikely to be freely given where the data controller is a public authority. In keeping with previous practice, it probably also continues to be unlikely that consent can be freely given by employees to their employers' data processing activities

19. Vital Interests
You are likely to be able to rely on vital interests as your lawful basis if you need to process the personal data to protect someone’s life
The processing must be necessary. If you can reasonably protect the person’s vital interests in another less intrusive way this basis will not apply.
You cannot rely on vital interests for health data or other special category data if the individual is capable of giving consent even if they refuse their consent
consent is unlikely to be freely given where the data controller is a public authority. In keeping with previous practice, it probably also continues to be unlikely that consent can be freely given by employees to their employers' data processing activities

20. Public Task
You can rely on this lawful basis if you need to process personal data:
‘in the exercise of official authority’. This covers public functions and powers that are set out in law; or
to perform a specific task in the public interest that is set out in law.
consent is unlikely to be freely given where the data controller is a public authority. In keeping with previous practice, it probably also continues to be unlikely that consent can be freely given by employees to their employers' data processing activities

21. Legitimate Interests
It is likely to be most appropriate where you use people’s data in ways they would reasonably expect and which have a minimal privacy impact or where there is a compelling justification for the processing
The legitimate interests can be your own interests or the interests of third parties. They can include individual interests or broader societal benefits
You can consider legitimate interests to lawfully disclose personal data to a third party, and for processing children’s data but you must take extra care to make sure their interests are protected
consent is unlikely to be freely given where the data controller is a public authority. In keeping with previous practice, it probably also continues to be unlikely that consent can be freely given by employees to their employers' data processing activities

22. Safeguarding of children
You can process information without consent where the processing is necessary for reasons of substantial public interest, and is to:
protect an individual under 18 from neglect or physical, mental or emotional harm, or
protect the physical, mental or emotional well-being of an individual under 18
consent is unlikely to be freely given where the data controller is a public authority. In keeping with previous practice, it probably also continues to be unlikely that consent can be freely given by employees to their employers' data processing activities

23. Special categories of personal data
Racial or ethnic origin
Political opinions
Religious and philosophical beliefs
Trade union membership
Genetic data
Biometric data
Sex life and sexual orientation

24. Grounds for processing special categories of personal data
Explicit consent for specific purposes
To comply with obligations in field of employment and social security and protection law
To protect the vital interests of the data subject or of another natural person where the data subject is physically or legally incapable of giving consent
Exercise or defence of legal claims
Safeguarding and reasons of substantial public interest
Preventive or occupational medicine and public health

25. To be informed (Privacy Notice) To have access to the data
Individual Rights
To be informed (Privacy Notice)
To have access to the data
To request rectification or erasure of personal data or restriction of processing
Right ‘to be forgotten’
To data portability (where consent based)
To object to processing
The right to be informed encompasses your obligation to provide ‘fair processing information’, typically through a privacy notice. It emphasises the need for transparency over how you use personal data.
You must provide a copy of the information free of charge. The removal of the £10 subject access fee is a significant change from the existing rules under the DPA.
You will have less time to comply with a subject access request under the GDPR. Information must be provided without delay and at the latest within one month of receipt.
3. Individuals are entitled to have personal data rectified if it is inaccurate or incomplete.
If you have disclosed the personal data in question to third parties, you must inform them of the rectification where possible. You must also inform the individuals about the third parties to whom the data has been disclosed where appropriate.
4. The right to erasure is also known as ‘the right to be forgotten’. The broad principle underpinning this right is to enable an individual to request the deletion or removal of personal data where there is no compelling reason for its continued processing.
Under the DPA, the right to erasure is limited to processing that causes unwarranted and substantial damage or distress. Under the GDPR, this threshold is not present. However, if the processing does cause damage or distress, this is likely to make the case for erasure stronger.
There are some specific circumstances where the right to erasure does not apply and you can refuse to deal with a request.
You can refuse to comply with a request for erasure where the personal data is processed for the following reasons
to comply with a legal obligation or for the performance of a public interest task or exercise of official authority;
the exercise or defence of legal claims
5. Under the DPA, individuals have a right to ‘block’ or suppress processing of personal data. The restriction of processing under the GDPR is similar.
When processing is restricted, you are permitted to store the personal data, but not further process it. You can retain just enough information about the individual to ensure that the restriction is respected in future.
When does the right to restrict processing apply?
•If you no longer need the personal data but the individual requires the data to establish, exercise or defend a legal claim.
6. When does the right to data portability apply?
The right to data portability only applies:
•to personal data an individual has provided to a controller;
•where the processing is based on the individual’s consent or for the performance of a contract; and
•when processing is carried out by automated means.
The right to data portability is targeted in particular at online service providers and is designed to promote further interoperability between online systems. Data subjects are to be enabled to move their data seamlessly from one online provider to another without losing any data previously disclosed to an online service or having to re-input such data. The provision is clearly aiming to create a more level playing field between online providers which have established a strong position making it difficult for new entrants to gain a foothold because of the effort required for users to move their accounts.
7. Individuals have the right to object to:
•processing based on the performance of a task in the public interest/exercise of official authority (including profiling);
•direct marketing (including profiling);
You must stop processing the personal data unless:
•you can demonstrate compelling legitimate grounds for the processing, which override the interests, rights and freedoms of the individual; or
•the processing is for the establishment, exercise or defence of legal claims.

26. Right to erasure
The data is no longer necessary in relation to the purposes for which it was collected or otherwise processed.
The data subject withdraws consent and there is no other legal ground for the processing of the data.
The data subject objects to the processing and there are no overriding legitimate grounds for the processing
The personal data has been unlawfully processed
The right to be informed encompasses your obligation to provide ‘fair processing information’, typically through a privacy notice. It emphasises the need for transparency over how you use personal data.
You must provide a copy of the information free of charge. The removal of the £10 subject access fee is a significant change from the existing rules under the DPA.
You will have less time to comply with a subject access request under the GDPR. Information must be provided without delay and at the latest within one month of receipt.
3. Individuals are entitled to have personal data rectified if it is inaccurate or incomplete.
If you have disclosed the personal data in question to third parties, you must inform them of the rectification where possible. You must also inform the individuals about the third parties to whom the data has been disclosed where appropriate.
4. The right to erasure is also known as ‘the right to be forgotten’. The broad principle underpinning this right is to enable an individual to request the deletion or removal of personal data where there is no compelling reason for its continued processing.
Under the DPA, the right to erasure is limited to processing that causes unwarranted and substantial damage or distress. Under the GDPR, this threshold is not present. However, if the processing does cause damage or distress, this is likely to make the case for erasure stronger.
There are some specific circumstances where the right to erasure does not apply and you can refuse to deal with a request.
You can refuse to comply with a request for erasure where the personal data is processed for the following reasons
to comply with a legal obligation or for the performance of a public interest task or exercise of official authority;
the exercise or defence of legal claims
5. Under the DPA, individuals have a right to ‘block’ or suppress processing of personal data. The restriction of processing under the GDPR is similar.
When processing is restricted, you are permitted to store the personal data, but not further process it. You can retain just enough information about the individual to ensure that the restriction is respected in future.
When does the right to restrict processing apply?
•If you no longer need the personal data but the individual requires the data to establish, exercise or defend a legal claim.
6. When does the right to data portability apply?
The right to data portability only applies:
•to personal data an individual has provided to a controller;
•where the processing is based on the individual’s consent or for the performance of a contract; and
•when processing is carried out by automated means.
7. Individuals have the right to object to:
•processing based on the performance of a task in the public interest/exercise of official authority (including profiling);
•direct marketing (including profiling);
You must stop processing the personal data unless:
•you can demonstrate compelling legitimate grounds for the processing, which override the interests, rights and freedoms of the individual; or
•the processing is for the establishment, exercise or defence of legal claims.

27. Right to be forgotten
This requires the data controller to erase personal data, if the controller:
is required to erase the data under the right to erasure
has made that data public (e.g. published the information on the internet or shared the data with third parties).
This new right requires the controller to inform other controllers that are processing the personal data that the data subject has requested erasure by them of any links to or copies of that data.
The right to be informed encompasses your obligation to provide ‘fair processing information’, typically through a privacy notice. It emphasises the need for transparency over how you use personal data.
You must provide a copy of the information free of charge. The removal of the £10 subject access fee is a significant change from the existing rules under the DPA.
You will have less time to comply with a subject access request under the GDPR. Information must be provided without delay and at the latest within one month of receipt.
3. Individuals are entitled to have personal data rectified if it is inaccurate or incomplete.
If you have disclosed the personal data in question to third parties, you must inform them of the rectification where possible. You must also inform the individuals about the third parties to whom the data has been disclosed where appropriate.
4. The right to erasure is also known as ‘the right to be forgotten’. The broad principle underpinning this right is to enable an individual to request the deletion or removal of personal data where there is no compelling reason for its continued processing.
Under the DPA, the right to erasure is limited to processing that causes unwarranted and substantial damage or distress. Under the GDPR, this threshold is not present. However, if the processing does cause damage or distress, this is likely to make the case for erasure stronger.
There are some specific circumstances where the right to erasure does not apply and you can refuse to deal with a request.
You can refuse to comply with a request for erasure where the personal data is processed for the following reasons
to comply with a legal obligation or for the performance of a public interest task or exercise of official authority;
the exercise or defence of legal claims
5. Under the DPA, individuals have a right to ‘block’ or suppress processing of personal data. The restriction of processing under the GDPR is similar.
When processing is restricted, you are permitted to store the personal data, but not further process it. You can retain just enough information about the individual to ensure that the restriction is respected in future.
When does the right to restrict processing apply?
•If you no longer need the personal data but the individual requires the data to establish, exercise or defend a legal claim.
6. When does the right to data portability apply?
The right to data portability only applies:
•to personal data an individual has provided to a controller;
•where the processing is based on the individual’s consent or for the performance of a contract; and
•when processing is carried out by automated means.
7. Individuals have the right to object to:
•processing based on the performance of a task in the public interest/exercise of official authority (including profiling);
•direct marketing (including profiling);
You must stop processing the personal data unless:
•you can demonstrate compelling legitimate grounds for the processing, which override the interests, rights and freedoms of the individual; or
•the processing is for the establishment, exercise or defence of legal claims.

28. Right (not) to be forgotten
You are not required to erase the data or inform third party controllers of the data subject's request to erase data to the extent that:
the processing is necessary for compliance with a legal obligation to which you are subject
for the performance of a task carried out in the public interest or in the exercise of official authority vested in you
for the establishment, exercise or defence of legal claims.
The right to be informed encompasses your obligation to provide ‘fair processing information’, typically through a privacy notice. It emphasises the need for transparency over how you use personal data.
You must provide a copy of the information free of charge. The removal of the £10 subject access fee is a significant change from the existing rules under the DPA.
You will have less time to comply with a subject access request under the GDPR. Information must be provided without delay and at the latest within one month of receipt.
3. Individuals are entitled to have personal data rectified if it is inaccurate or incomplete.
If you have disclosed the personal data in question to third parties, you must inform them of the rectification where possible. You must also inform the individuals about the third parties to whom the data has been disclosed where appropriate.
4. The right to erasure is also known as ‘the right to be forgotten’. The broad principle underpinning this right is to enable an individual to request the deletion or removal of personal data where there is no compelling reason for its continued processing.
Under the DPA, the right to erasure is limited to processing that causes unwarranted and substantial damage or distress. Under the GDPR, this threshold is not present. However, if the processing does cause damage or distress, this is likely to make the case for erasure stronger.
There are some specific circumstances where the right to erasure does not apply and you can refuse to deal with a request.
You can refuse to comply with a request for erasure where the personal data is processed for the following reasons
to comply with a legal obligation or for the performance of a public interest task or exercise of official authority;
the exercise or defence of legal claims
5. Under the DPA, individuals have a right to ‘block’ or suppress processing of personal data. The restriction of processing under the GDPR is similar.
When processing is restricted, you are permitted to store the personal data, but not further process it. You can retain just enough information about the individual to ensure that the restriction is respected in future.
When does the right to restrict processing apply?
•If you no longer need the personal data but the individual requires the data to establish, exercise or defend a legal claim.
6. When does the right to data portability apply?
The right to data portability only applies:
•to personal data an individual has provided to a controller;
•where the processing is based on the individual’s consent or for the performance of a contract; and
•when processing is carried out by automated means.
7. Individuals have the right to object to:
•processing based on the performance of a task in the public interest/exercise of official authority (including profiling);
•direct marketing (including profiling);
You must stop processing the personal data unless:
•you can demonstrate compelling legitimate grounds for the processing, which override the interests, rights and freedoms of the individual; or
•the processing is for the establishment, exercise or defence of legal claims.

29. Data Processors - Contracts
Currently if a contactor (data processor) breaches the DPA you remain responsible (though you can pursue contractual remedies)
The GDPR places direct obligations on contractors and specifies contractual terms that must be included in data processing contracts
E.G. Process personal data only on your documented instructions, no sub-contracting without consent, confidentiality and security of the data
Article 5 of the GDPR requires a data controller to both:
•Comply with six principles when processing personal data (Article 5(1)).
•Demonstrate compliance with all six of the principles (Article 5(2)).
In addition to Article 5(2), Article 24(1) of the GDPR also requires a data controller to demonstrate that data processing activities comply with the GDPR's requirements. Articles 5 and 24 together form the concept of accountability under the GDPR, which is a key element of the regulation.
The obligation to demonstrate compliance replaces the obligation to notify local data protection authorities of processing activities, which is a requirement in the EU Directive and its local implementing laws in several EU member states. As part of demonstrating compliance, the GDPR requires data controllers to maintain a record of processing activities

30. Data Protection Officer
The GDPR introduces a duty to appoint a data protection officer (DPO) if you are a public authority or if you carry out certain types of processing activities
A DPO can be an existing employee or externally appointed.
In some cases several organisations can appoint a single DPO between them
EYP unlikely to have to appoint DPO BUT it could be good practice to do so
Under the GDPR, you must appoint a DPO if:
•you are a public authority (except for courts acting in their judicial capacity);
•your core activities require large scale, regular and systematic monitoring of individuals (for example, online behaviour tracking); or
•your core activities consist of large scale processing of special categories of data or data relating to criminal convictions and offences.

31. Data Protection Impact Assessments
DPIA help you identify and minimise the data protection risks of a project
Needed for processing that could be high risk for individuals or for any new technologies
So this could be the introduction of a new IT system to record children’s progress that is shared with parents or the council electronically, or biometric data processing

32. Breach Notification
A personal data breach means a breach of security leading to the destruction, loss, alteration, unauthorised disclosure of, or access to, personal data
Must notify ICO of breaches likely to result in risk to rights and freedoms of individuals
Must notify those concerned directly where breach likely to result in high risk to the rights and freedoms of individuals
Must notify ‘without undue delay’ and within 72 hours of becoming aware of breach
Increased fines up to 20m euros
If unaddressed such a breach is likely to have a significant detrimental effect on individuals – for example, result in discrimination, damage to reputation, financial loss, loss of confidentiality or any other significant economic or social disadvantage

33. Compensation and Liability
A person who has suffered material or non-material damage as a result of an infringement of the GDPR has a right to receive compensation from the controller or processor for the damage suffered
The ICO can impose fines on controllers and processors for infringements of the GDPR. Fines must in all cases be effective, proportionate and dissuasive
Article 5 of the GDPR requires a data controller to both:
•Comply with six principles when processing personal data (Article 5(1)).
•Demonstrate compliance with all six of the principles (Article 5(2)).
In addition to Article 5(2), Article 24(1) of the GDPR also requires a data controller to demonstrate that data processing activities comply with the GDPR's requirements. Articles 5 and 24 together form the concept of accountability under the GDPR, which is a key element of the regulation.
The obligation to demonstrate compliance replaces the obligation to notify local data protection authorities of processing activities, which is a requirement in the EU Directive and its local implementing laws in several EU member states. As part of demonstrating compliance, the GDPR requires data controllers to maintain a record of processing activities

34. The Data Protection Fee
Under 2018 draft Regulations data controllers must pay the ICO an annual data protection fee unless they are exempt
Controllers who have a current registration (or notification) under the 1998 DPA do not have to pay the new fee until that registration has expired
ICO has the power fine those who refuse to pay their data protection fee (the maximum penalty is a £4,350)
The WP29 Guidance suggests that in order to avoid conflicts the DPO cannot hold another position within the organisation that involves determining the purposes and means of processing personal data. Senior management positions such as chief executive, chief financial officer, head of marketing, head of IT or head of human resources positions are likely to cause conflicts. However, it is not just senior positions that should be considered to be off-limits. Some positions lower down the organisational hierarchy may involve determining the purposes and means of processing, which will rule them out as feasible roles for DPOs. (

35. How much is the Data Protection Fee?
Tier 1 – micro organisations - maximum turnover of £632,000 for your financial year or no more than 10 members of staff. The fee for tier 1 is £40.
Tier 2 – small and medium organisations - maximum turnover of £36 million for your financial year or no more than 250 members of staff. The fee for tier 2 is £60.
Tier 3 – large organisations. If you do not meet the criteria for tier 1 or tier 2, you have to pay the tier 3 fee of £2,900.
The WP29 Guidance suggests that in order to avoid conflicts the DPO cannot hold another position within the organisation that involves determining the purposes and means of processing personal data. Senior management positions such as chief executive, chief financial officer, head of marketing, head of IT or head of human resources positions are likely to cause conflicts. However, it is not just senior positions that should be considered to be off-limits. Some positions lower down the organisational hierarchy may involve determining the purposes and means of processing, which will rule them out as feasible roles for DPOs. (

36. Exemptions from Data Protection Fee?
Processing personal information without an automated system such as a computer, i.e. paper only processing
Charities that are not otherwise subject to an exemption will only be liable to pay the tier 1 fee regardless of size or turnover
Even if you are exempt from paying a fee, you still need to comply with your other data protection obligations
The WP29 Guidance suggests that in order to avoid conflicts the DPO cannot hold another position within the organisation that involves determining the purposes and means of processing personal data. Senior management positions such as chief executive, chief financial officer, head of marketing, head of IT or head of human resources positions are likely to cause conflicts. However, it is not just senior positions that should be considered to be off-limits. Some positions lower down the organisational hierarchy may involve determining the purposes and means of processing, which will rule them out as feasible roles for DPOs. (

37. Actions (1)
Awareness – train staff on GDPR
Register with the ICO if you have not already done so
Information you hold – organise an Information Audit and complete an Information Asset Register
Data Protection Policy – review and update
Privacy Notices review your current privacy notices and make any necessary changes

38. Actions (2)
Subject access requests – review and update how you deal with subject access requests
Individual rights – check your current procedures to ensure they cover all the rights individuals have including how you would delete personal data or provide data electronically
Legal basis for processing personal data look at the various types of data processing you carry out and identify and document your legal basis for the processing

39. Actions (3)
Consent – review how you ask for obtain and record consent and whether you need to make any changes
Contracts – review contracts and ensure new data processing contracts contain new GDPR compliant clauses
Data breaches – make sure you’ve got the right procedures in place to detect report and investigate a personal data breach

40. Actions (4)
Security ensure your IT systems are robust and compliant with the GDPR
Data protection by design and default - embed data protection in your setting
Data Protection Officers – consider appointing a Data Protection Officer or someone to take responsibility for data protection compliance

41. Scenario (1)
A practitioner in your setting has asked to update her learning journals and assessments at home on her personal computer. You see no reason why this should be an issue and grant the request and transfer the files onto a USB stick for her to take home. She inadvertently leaves the stick on the bus with some of her hard copy paperwork. What are the data protection issues?

42. Scenario (2)
You have identified a potential special educational needs child in your setting. The parent is unwilling to engage and will not allow you to seek transition support unless you make no reference to the special educational needs of the child.
You are completing a referral to the multi-agency safeguarding hub (MASH). The parent is refusing to sign the relevant forms.
What can/should you do here?

43. Scenario (3)
You have taken disciplinary action against a member of staff. The staff member has asked that you destroy his staff record when leaving the setting.
What can/should you do here?

44. Scenario (4)
The parents of a child are no longer together. Your contract of engagement is with the mother. The father enters your setting requesting information on the child.
Do you release it?

45. Scenario (5)
A parent is ing you regarding a child (not using secure mail). The contents include personal information.
Are there any data protection issues?

46. Sources of Information
The ICO
Guide to the General Data Protection Regulation (GDPR)
Data protection self assessment toolkit
Pre-school Learning Alliance

47. Thank you for your attention Questions
Over to You
Thank you for your attention Questions