Data privacy jargon buster for your child-centred business

A data privacy jargon buster is a handy thing as the jargon around children and data privacy can be confusing.

Just as you can be a mum, sister and daughter and still be yourself, the names for who is who depend on in relation to what.

GDPR jargon buster

Data controller

When you are running your own business you are acting as a Data Controller. 

It’s your job to make sure that you have what is known as a lawful reason for collecting the information you collect for your business. You also need to secure it and not keep it any longer than you need to. 

Other data controllers around your business

If you are working through a school then the School is a data controller for the information they share with you.

If you are working through a franchise system then the franchisor is a data controller as well as you.

Many child-centred business owners think that if the school or franchisor is a data controller, there is nothing they need to do. But you are always responsible for any personal data collected by your business.

Parents are not data controllers in this technical sense, since they are not businesses sharing information with you.

Sometimes you can be a co-controller with another controller if both of you are deciding what to collect and store. You both need to take advice on that one since the rules on data sharing and data privacy policies are slightly different when this is the case.

What documents does a controller need to have

Data Privacy policy  

Every data controller needs to let their data subjects (or their parents depending on their age) know exactly what you are up to.

A data privacy is a document designed to tell your data subjects what is going on and why. You will need a data privacy policy for your business explaining to your data subjects what you are collecting, why, who you are sharing it with, whether it is leaving the UK, how long you are keeping it for, who you share it with and how they can contact you to make a data subject access request or ask to have their information updated, changed or removed. 
 
Some people think you only need one if you have a website, but you need one if you are collecting information about living individuals. It is useful to put a copy or a link to your data privacy policy on your website, but if you don’t have one you can create a link in DropBox, Sharepoint, Googledocs and make it available that way. 

Are you sharing data outside the UK? 

If you are using online booking systems, accounting systems, or even email systems then the chances are you are storing data outside the UK.

The biggest problems you may have with this is working out where the data you collect is being stored. It is surprisingly difficult to find out from some software and app creators where all that data is going to. Their data privacy policy will tell you where information about YOU is going (or at least it should do) but what they do with information you put into their systems about other people is not always covered in their data privacy policy. Sometimes it is covered in data security documents. Sometimes it is simply not mentioned at all. 

We spend a lot of time supporting out GDPR clients and helping them find out the answers. It never ceases to amaze me how difficult some organisations make it to discover this information as none of us should be sharing any information within their platforms UNLESS and UNTIL we know!  
 
You will find some free versions or software don’t give you the option to choose, whilst some paid versions let you choose the UK or EU as your ‘data location’. It keeps changing so this is something worth checking from time to time. 

When you had a job it was usually someone else’s job to figure this out. Now you are the boss, it’s your job unless you are paying someone else to figure this out. 

High risk and special category information 

Information about children should be viewed in security terms as high risk. If information about where a child can be found on a regular basis, their name or address is leaked into the world it is possible that this can fall into some very dodgy hands and pose a real risk to the child.

Similarly information about allergies, health conditions or even their religion is known as special category data. This should be subject to additional security and only shared as narrowly as needed.

Sharing such data outside the UK needs extra steps from consent to security and you should avoid putting this into any software or platforms that export it without taking specialist advice.

Data processing agreements

If a school or franchisor is collecting data about individuals and sharing it with you, they are still a data controller, but you are usually a data processor handling data on their behalf.

This usually happens when they take the initial booking details and pass the information on to you.

Where this is the case, they should be providing you with a data processing agreement (known as a DPA) setting out what you may do with this information, how it should be stored etc.

This is an entirely separate thing to a data privacy policy that is for the data subjects.

One of the biggest problems is that they don’t know that and they don’t. So we give you the bare bones in a KoffeeKlatch contract so you can create one together.


Common data privacy policy problems 

One of the biggest problems with data privacy policies that people think they ‘paperwork’ that goes on a website and that they can be purchased, like a book, and just uploaded. 

Having no data privacy policy at all is not a good idea. But what is a worse idea is having one you copied or got your web designer to upload that does not reflect the way you handle data in your business. If that policy is incomplete, or worse still untrue because you are not doing the things that policy says you are you will find yourself in a complete muddle if you have a data breach or something goes wrong. 

Even if you have a franchised business with a template data privacy policy, you need to be sure that the policy reflects what you are actually doing and how you are handling data.

Did your web designer do a data privacy policy for you? 

Web designers want you to have a data privacy policy on your website so that they can tick the boxes of data privacy policy and cookie policy. Unless they do a data audit and they have no way of knowing what is going on with your total business. Nor do they have the skills or the time to work that out. Having a ‘fake’ policy – by which we mean one that is simply stuck there that does to reflect your actual working practises can make you look compliant, but it won’t make you compliant. 

Did you just copy someone else’s policy? 

We regularly see data privacy policies that simply do not reflect what a child-centred business would normally be doing. Not only that when we ask the owner “What does that mean?” they have no idea that this means they have promised to do specific things. 

Not just a piece of paper 

A good data privacy policy is the result of knowing how you handle personal information in your business and is the end of a process, not a substitute for having one. And it needs updating when you change how you operate, take on board new software and apps, new people etc. 

It is good to review your policy against what is going on. The process of reviewing what is going on is known as a data audit. In a small business that should not take all that long, but it is worth doing. 

__________________________________________________________________________________ 

Drop us a comment

Leave a Reply

Bestselling Contracts and Support for a Range of Industries

The perfect business contract protects more than just your boundaries. The perfect business contract protects your clients in relation to things like Copyright, IP, GDPR, scope-creep and all the other things that eat away at your profitability.

Check out our contract shop and GDPR support today and start earning what you should in your business.