The General Data Protection Regulation came into force on the 25th May 2018 affecting all businesses regardless of their size. In order to comply with the law and avoid high fines, it is important to be GDPR compliant in your collection, recording, storage, use, disclosure and deletion of personal data. This applies to data relating to both the parent/guardian and the children you mind.
Ensure that you are aware of the GDPR and how it can impact your childminding business.
At it’s maximum the GDPR provides for fines of up to €20 million or 4% of annual global turnover. More relevant to childminding businesses is the fact that it provides for individuals to sue business for both material and non-material damage as a result of non-GDPR compliance.
Conduct a data protection audit
Review all personal data you hold, whether that data relates to current or former parents/guardians and children and consider the following:
• Why are you holding the data?
• How did you obtain the data?
• Why was data gathered originally?
• How long will you retain the data?
• How secure is the data, both in terms of encryption and accessibility?
• Do you ever share the data with third parties and on what basis might you do so?
Pay particular attention to outdated data which you may no longer justify retaining. The GDPR does not specify any particular retention periods for personal data; however, it clearly states that such data must be kept for no longer than is necessary for the purpose for which it was processed. Retention periods must also be guided by individual business needs.
: Accident and incident information should be retained indefinitely, as claims could be made at any point by a “child” during their adulthood.
Consider why you have collected personal data
You must be able to explain your reason/uses for processing personal data. For example:
• Consent from the parent/guardian in relation to photos/videos
• Necessary for the performance of a contract
• Necessary for compliance with a legal obligation to which the childminder is subject
You must be able to show you have been given consent freely, that it is specific, informed and unambiguous. Prior to giving consent, parents/guardians must be informed of their right to withdraw consent at any time.
GDPR provides additional safeguards for children accessing online services and consent will only be valid if it is given or authorised by a parent/guardian.
Review your data protection notices/policies
Review your data protection notices/policies to ensure compliance with the new rules. If you do not currently have data protection notices/policies, these should be put in place as the GDPR emphasises their importance.
The GDPR contains enhanced rights for individuals. These include the right to:
• Request a copy of their data
• Correct inaccurate data
• Have certain information erased
• Restrict the processing of his/her data
• Transfer data from one organisation to another
• Complain to the Data Protection Commissioner
Data Access Request
Parents/guardians are entitled to see the personal data you hold about them or their children. You have one month to respond to their request. Documents will have to be provided free of charge, unless the request is “manifestly unfounded or excessive”, in which case a reasonable fee may be charged.
Review your data security procedures
The security of personal information is extremely important. All documentation must be securely locked away and not accessible to any other party. Ensure your computer is password protected and not in view of others.
The GDPR requires that as a business owner, you notify the Data Protection Commissioner of a data security breach within 72 hours of becoming aware of the breach.