GDPR for groups

If you are running a baby and toddler, or parent and baby, group you may be wondering how data protection rules apply to you. You may not even consider your group to be a ‘data processor’, but if you are storing a list of families’ names and contact details, the General Data Protection Regulation UK (GDPR) will apply to you and your group.

You must ensure that you are only using any personal data you hold with the subject’s permission and you must make sure that it is kept safe. Examples of personal data you may be processing include email addresses, phone numbers and payment information. In some cases, you will need to register with the Information Commissioner’s Office.

Here are answers to some common questions on data protection rules for baby and toddler groups…

Does my non-for-profit group need to register with the ICO?
If your stay-and-play/parent and baby group can meet the criteria for the non-for-profit exemption, they would not be required to pay a data protection fee. To meet the criteria, the organisation must:

be established as a not-for-profit organisation, which may be stated in your constitution/articles
only process information necessary to establish or maintain membership or support
only process information necessary to provide or administer activities for people who are members of the organisation or have regular contact with it
only hold information about individuals whose data you need to process for this exempt purpose
only keep the information while the individual is a member or supporter or as long as necessary for member/supporter administration

An organisation would not be exempt from registering if:

it is responsible for CCTV
if it provides additional services outside of the organisation’s aims/objective that can’t be covered by the other exemptions
if it trades and shares personal data

If you are not sure whether or not you need to register, please check the ICO website’s registration self-assessment tool here.

If we do need to register with the ICO, what would our fee be?
The cost of the data protection fee depends on your size or turnover. There are three tiers of fee – £40 (tier one), £60 (tier two) and £2,900 (tier three). If you pay by direct debit you will get an annual discount of £5. Most organisations pay £35.

If you have charitable status or exempt charitable status, you will always be in tier one regardless of your size.

The ICO website also has a tool for working out your annual fee available here.

If we don’t need to register, what rules should we follow?
The GDPR applies to any business or organisation processing personal data in the UK. If you’re not sure, visit the ICO website guide on Getting started with data protection here.

For more information on GDPR for all early years providers, check the Alliance website here.

Do baby and toddler/stay and play groups need to appoint a Data Protection Officer?
A Data Protection Officer is required if you are a public authority or body or if your core activities requires large scale monitoring of individuals or large scale processing of special categories of data or data relating to criminal convictions and offences.

The ICO website offers a tool to help you decide if you need to appoint a DPO here.

What will happen if we don’t comply?
If you are not following data protection rules and you receive a complaint, the ICO may have to take action against you. You could also be fined if you do not pay the registration fee when required to.

Keeping information accurate and safe will help you run your group efficiently. Following the GDPR will also demonstrate to families that you are serious about keeping their information safe and give them confidence in how you are operating.