GDPR for ECE and schools

Tips On Complying with the New Data Protection Regulations from the EU

Heads up, schools and services that use Educa software! You might just be a “data controller” —  and that has new legal implications.

Take a breath. It’s not that bad.

Here’s an explanation of what it means for child care centres, preschools and schools like you. Note though, we are not lawyers. This is a rundown on GDPR and what needs to be done.  Please do not treat this as legal advice. If you have specific questions or concerns about how you are using personal data, please seek legal advice.

EU regulation has a global impact

From 25 May 2018, a new General Data Protection Regulation (GDPR for short) comes into force. It’s the European Union’s (EU) new data protection framework. Please don’t turn off at this point because it does actually affect services even if they don’t operate in the EU.

And it is fast becoming the gold standard around the world for guidance on managing the personal data of others, best practice that we should all aspire to. For more info on GDPR, you can find the full regulation here.

Just to be clear though, GDPR regulates companies and entities that handle personal data of people living in the EU.

Don’t mean to scare you, but …

This probably includes you.  If you have a website, folks from the EU can see it.  If you use a family engagement tool like Educa, you could have EU-based uncles or cousins of children in your care, or maybe family members visit the EU and access your platform for updates. Can you claim ignorance? No. You risk being fined up to 4% of your global annual revenue if you ignore this regulation.

As we said though, unless you are taking in personal data for one purpose and then using them for another purpose, the changes GDPR requires are not that onerous.

Reason for the Regulation

At the crux of the changes is strengthening an individual’s right to privacy. The regulation does this by creating clear limits on processing personal data, boosting individual rights and, importantly for ECE services and schools, making them more accountable for data privacy, transparency and security.

Six data protection principles

  1. There must have a lawful reason to collect personal data and do it fairly and transparently.
  2. You can only collect data for the original reason for securing it.
  3. You shouldn’t collect more data than necessary.
  4. Those parameters should be accurate and you should have processes to keep updating it.
  5. You should keep the data any longer than needed.
  6. You must protect the personal data you have collected and stored.

Difference between the data controller and data processor

GDPR outlines regulations for data controllers and data processors.

Folks who collect and manage data, called “data controllers.”  If you are an Educa customer or use a SMS, a mailing platform like Mailchimp or a CRM like Salesforce, you are a data controller.

Companies who provide platforms, who process data for others are deemed “data processors.”  Educa is a data processor — our platform allows your service to process the information you collect, to store, secure as well as the communication tools you use through us.

You can learn what Educa, as a data processor, is doing to comply with GDPR here.

What Personal Data Is Affected?

The personal data in focus is anything that could directly or indirectly identify a living individual including:

  • Directly:
    • Name
    • Email
    • Address, etc or
  • Indirectly
    • Their location
    • Their customer ID, and
    • IP address etc.

The regulation has been broadened, too, so it covers genetic (DNA, for example) and biometric (finger print, iris scan, etc) data that can be traced back to a person.

What You Need To Do

The rules seem over-whelming, but for the most part they are reasonable.

The Key Themes

You need to be transparent when individuals offer you their data (like when they opt in to use your system, receive email newsletters, etc). At that point in time, you need to clearly explain what data you’ll collect/store and how you’ll use it plus have a clear link to your privacy policy.

You can only use the data for the purpose in which it was collected. Once that purpose ends (such as a child moves from your service), it’s time to delete that information. The regulation talks about a “closed-loop” or “double” opt-in process.

You need to have a process for removing someone’s information from Educa or any other platform you use if they make that request. The best approach is to create a flow chart like this.

ice data controllers data flow

There’s an extra swag of individual rights over their data you need to get your head around. Individuals have the right to be informed, have free access where possible, to rectify, remove (not absolute, but conditional), restrict processing, data portability and to object.

Get Compliant Now

Here are our tips to get into top shape for this regulation.

  • Check that your data is clean and up to date
  • Audit how your service uses personal data if you haven’t done so already – use these questions to help update your policies and procedures:
    • What sort of personal data are you holding, sending or using?
    • From where do you get that data?
    • How is it held or stored?
    • What’s it used for?
    • How do you make sure your service doesn’t disclose personal data to the wrong person?
    • Who do you disclose the personal information to?
  • Revisit your opt-in policy. Is it time to email your database contacts asking for extra levels of approval from them? Do you clearly state why you’re storing their info and the legal basis for doing so? Are you making it easy for individuals to quiz or complain to your staff about the data?
  • Dust off your privacy policy – does it clearly say how long you’ll keep data for? Does it reflect your current use of cookies? If not, update your policy.
  • Grab your processes to get up to speed on what you do internally. Think if someone asks to see the data you hold on them, or want it deleted.
  • Appoint a Data Protection Officer to oversee compliance and report / advise senior staff.

Educa has responsibilities, too

Our role is to ensure we’re GDPR compliant, too. As a data processor, we’re upholding our commitment to data privacy meeting a variety of standards in Australasia, North America and now the EU with GDPR.

Educa was already meets most of the encryption and privacy regulations included in GDPR.  However, as outlined in more detail here, we have been working on changes behind the scenes:

  • Assessing our platform continuously to ensure it remains GDPR compliant
  • Continuing to verify that our third-party vendors are GDPR compliant and if not, advising them
  • Revisiting and updating our processor and sub-processor agreements
  • Developing a process for meeting “erasure of data” requests
  • Updating our privacy policies and procedures – here’s our latest privacy policy
  • And a whole lot more things too numerous to mention!

So, we’re up to speed – are you?

And once again for your convenience, you can find the full regulation here.

Links & Resources:

GDPR information portal

Official Australian Government info

For Asia Pacific customers of Educa

CNBC’s advice for US-based companies

European Commission’s info

Some companies are blocking EU users




Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.