Is your business GDPR-proof?

This is the dreaded topic of the moment, but the clock is ticking, and you only have 47 days left to make your business GDPR-proof.
The law will affect data you hold about parents/carers and children, but also staff members and candidates
We know that you are all super busy running your clubs and taking care of kids, and this whole GDPR stuff might sound overwhelming, so we have compiled a clear list of actions that you guys need to implement to protect your business.

Know your terminology

Data controller: a person who (either alone or jointly or in common with other persons) determines the purposes for which and the manner in which any personal data are, or are to be processed, this is likely to be you!
Data processor: any person other than an employee who processes the data on your behalf -for example magicbooking😉
Data subject: parents, carers, collectors, children data, staff members and candidates
Personal data: data subjects’ names, addresses, contact details, email addresses, consents
Personal sensitive data: this includes data subjects’ racial or ethnic origins, religious beliefs, medical information, allergies, dietary requirements, disabilities & SEN, political opinions, trade union activities, or details of criminal offences
Processing: what you do with data including collection, recording, storage, use, disclosure, erasure…
Pseudonymisation: the process of rendering data un-identifiable, so it can no longer be attributed to an identified or identifiable natural person.
Third-party: a natural or legal person other than the data subject, controller, processor, authorised to process personal data, for example magicbooking😉
Personal data breach: a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored, or otherwise processed.

As childcare provider who needs to collect a large number of data to safely operate your business, you are a data controller, and perhaps a data processor too. GDPR applies to both personal data and sensitive personal data.

The law principles

The GDPR law requires that data:

a) is processed lawfully, fairly and in a transparent manner in relation to individuals;
b) collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes; further processing for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes shall not be considered to be incompatible with the initial purposes;
c) adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed;
d) accurate and, where necessary, kept up to date; every reasonable step must be taken to ensure that personal data that are inaccurate, having regard to the purposes for which they are processed, are erased or rectified without delay;
e) kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed; personal data may be stored for longer periods insofar as the personal data will be processed solely for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes subject to implementation of the appropriate technical and organisational measures required by the GDPR in order to safeguard the rights and freedoms of individuals; and
f) processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures.”


“the controller shall be responsible for, and be able to demonstrate, compliance with the principles.”

Data Controller list of actions

1. Have you audited your data flow?
One person with in-depth knowledge of your working practices may be able to do this. The aim is to identify the data that you process and how it flows into, through and out of your business.

  • How and when you collect data
  • Where do you store data
  • How you use data
  • If, when and where you transfer data
  • When and how you dispose of data

2. Have you fully documented the personal data you hold?
You must record the following:

  • name and details of your business, each controller you are acting on behalf of, and the controllers’ representative (if relevant), your representative and the data protection officer
  • categories of the processing carried out on your behalf
  • details of transfers to third-parties including documentation of the transfer mechanism safeguards in place, if applicable
  • where possible, describe what measures you have put in place for security measures

You may be required to make these records available to the ICO on request.

3. Show that you are accountable and responsible

  • You have to have a data protection policy, this should clearly set-out your approach to data protection together with responsibilities for implementing the policy and monitoring compliance.
  • Your data protection policy must be approved by the management team and must be published and communicated to all staff members.
  • Your decision makers and key people in your business must demonstrate support for data protection legislation and lead by example, demonstrating accountability for compliance with the GDPR and promoting a positive culture within your business for data protection (leaflets, posters, team briefings…).
  • You must provide awareness training for all existing and new staff members whose responsibility involves handling personal data.

Don’t forget to regularly review your policy to make sure it is still in line with the regulation. A review every other year is reasonable, unless new regulation come into force.

4. Data subject rights

  • Data subject (parents, carers, children, your staff and candidates), have the right to access their personal data
  • erasure
  • restriction of processing while a complaint has been raised by the data subject on the ground that you are processing data unlawfully, e.g. you are processing data about parents trade unions activity, which is obviously not relevant to your childcare provider activity. While the complaint is ongoing, you can no longer process the data
  • data portability (reuse their data for a different service or business)
  • object, if there is evidence that personal data should not be processed.

You also must obtain explicit consent to communicate with parents via email or SMS, and you must record when consent was given and log preference changes. Data subjects (parents, carers) should also be able to change their consent at any time and you must explain their rights to data subjects (parents/carers)

While this is quite a lot in itself, the good news is that if you use magicbooking, all the above is covered; parents have access to data you hold about them and their children, they can modify their data, access information about their rights or request for their data to be anonymised (right to erasure).
Our state-of -the-art communication tool works in conjunction with consents given by data subjects (parents/carers), which allows you to safely send marketing communication.

5. Data security

You must ensure that the data you hold is securely stored, i.e. access restricted by individual strong passwords, or in locked cabinets… Again magicbooking has been designed to help you security requirements, that platform uses encrypted technology, is only accessible by individual passwords and last but not least, is hosted on Microsoft Azure Cloud, which helps you meet the GDPR compliancy. Microsoft Azure leads the industry with the most comprehensive compliance coverage, enabling customers to meet a wide range of regulatory obligations, including UK G-Cloud, which is the UK government standard for government applications hosted in the Cloud.

5. Data protection by design

When changing processes you must ensure that the new adopted practices are designed to comply with the law.

7. Data processing contracts

If you use a third-party data processor -like magicbooking, you either need to have a contract in place stating between the controller (yourself) and the processor stating their obligations, or the third-party might already have covered these in their Terms and Conditions, this is our case 😊

8. Data breach notification

Any breach must be reported without ‘undue’ delay after becoming aware of it. We have a template you can access here.

Disclaimer: This article contains information which is necessarily general. It does not constitute legal advice. It is essential that, before proceeding with a particular course of action, you take specialist legal advice on any relevant considerations which may apply in your specific circumstances so that you can properly assess your options and any associated risks and benefits.

Leave a Reply

Your email address will not be published. Required fields are marked *