What is the GDPR?
The General Data Protection Regulation (GDPR) is a new law that replaces the Data Protection Act (DPA) 1998. It came into effect on 25 May 2018.
It extends the provisions of the existing DPA by placing greater obligations on how organisations handle personal data, and gives individuals more control over how their data is stored and used.
Data protection terminology
There is a wealth of information about the GDPR available on the ICO (Information Commissioner's Office) website and elsewhere, but the mass of detail can be overwhelming for small organisations, and the unfamiliar terminology can be confusing. (There are some links to useful pages at the end of this article.)
The key terms you need to be familiar with are:
- Data subject: means the person whose personal data is being processed.
In the context of an out of school club, this is likely to be a child, their parent/carer, or an employee.
- Personal data: any information about an individual that can be used directly or indirectly to identify that person.
In the context of an out of school club, this is likely to include child records, photographs, parental contact details, emails, staff employment records, etc. It does not matter whether the information is stored electronically or entirely on paper, the GDPR still applies.
- Data controller: means the person who decides the purposes for which, and how, any personal data is processed.
In the context of an out of school club, this will usually be the owner, manager or management committee.
- Processing data: means obtaining, recording, storing, organising, consulting, deleting or sharing personal data.
In the context of an out of school club this would apply to collecting, storing and using any of the information on the forms that you ask parents to complete (eg registration forms, medical forms, contact information, etc), plus any records that you keep about the children (eg attendance, observations, incident/accident records, etc), plus any information relating to your staff (eg application forms, staff records, appraisal forms, salary information, etc).
- Data processor: means any person other than an employee of the data controller, who processes the data on behalf of the data controller.
In the context of an out of school club, this might include the payroll company you use to handle your staff's wages, or the self-employed administrator whom you contract to generate your monthly invoices.
Principles of the GDPR
If you are already meeting the requirements of the DPA at your club (which you should be!), the requirements of the GDPR are mostly just an extension of these. The key principles of the GDPR are that personal data is:
- Collected and processed for a lawful reason, and in a fair and transparent way
- Only used for the purpose that you originally collected it
- Limited to that which is necessary for the stated purpose (in other words, you don't collect irrelevant data)
- Accurate and kept up to date
- Kept only for as long as it is necessary
- Kept secure.
Under the GDPR, you must not only meet these principles at all times when you handle personal data, but you must also be able to demonstrate your compliance.
Next steps for out of school clubs
In order to achieve the above, and meet the requirements of the GDPR, you should:
- Appoint a lead person for data protection within your setting. Most clubs will not need to appoint an official Data Protection Officer, unless they are part of a much larger organisation.
- Conduct an audit to identify what personal data you currently hold, where it is stored, how it is used, and who it is shared with. If anyone processes the data on your behalf you must make sure that they meet GDPR requirements.
- Review your current data protection procedures. Update your policies to make them more robust if necessary.
- Ensure that you have privacy notices in place when you collect personal data, and update them to reflect the GDPR requirements that you must tell people how you are going to use the data, who you might share it with, how long you will keep the data, and how they can make a complaint.
- Review and update your procedures for handling subject access requests (these must now be responded to within a month), and also requests to correct or delete data that you hold.
- Ensure that all staff are trained in your new data protection policies and procedures.
For more information on the specific steps you will need to take as an out of school club, download our GDPR: Implementation guide, or buy our GDPR for OSCs Pack which also includes some useful templates.
GDPR FAQs for small organisations (from ICO)
Information on GDPR for educational settings (from ICO)
GDPR advice service for small organisations
Preparing for the GDPR: 12 steps to take now (from ICO)
Guide to the data protection fee (from ICO)
This article is a simplified overview of the GDPR, and only considers how it is likely to affect a typical, small, out of school club setting. We have not attempted to cover all areas of the GDPR. For in-depth information about the GDPR, and especially if your club is part of a larger organisation or is in any way non-standard, you should consult the resources on the ICO website. Moreover, the ICO is still developing its own guidelines and updating them on a monthly basis, so further clarification on issues covered in this article may be available from the ICO in due course. It is your responsibility to ensure that your club is meeting all of the GDPR requirements.