Your child centred business may leave you struggling with what people tell you about data privacy and GDPR. There’s a lot of misunderstanding and misinformation going around. Whilst many people will chip in with well-meaning advice, it is not always accurate or appropriate for the way you are working in your own business and with your client.
You may remember some of what you were taught when you had a job. But that understanding may be based on running a school or working in a local authority. You need to refresh that understanding and make it work for your new micro business if you are going to avoid getting into a total tangle.
Who is who – data privacy jargon
The jargon around data privacy can be confusing and unless you have a firm grasp on who is who, moving on to who does what can rapidly make your head hurt. Let’s look at the key terms:
As the boss of your business, you are acting as a data controller. A data controller is responsible for deciding what information your business collects about whom, how it is used, when and how it is shared, how it is stored, and when and how it is removed.
If you worked for a big organisation, they had a person (DPO) whose entire job was sorting this out. In a smaller organisation it would be a job for a Partner or a Director to add to their responsibilities. Now it is your responsibility to do this, and it starts not when you have clients, but when you start collecting personal data. For most of us that is at the sales and marketing stage when we start to collect the names and contact details of individuals we wish to approach.
Once you have information about a living individual then you have data subjects. They have all the rights that data subjects have. The size of your business does not affect that or exempt you.
Some of your data subjects will be adults – for example staff at schools you are approaching with a view to promoting your programmes or parents or team members. Other data subjects will be the children themselves. There are special rules for collecting, storing and sharing children’s data so it is important to be very clear from the start whether your data subject is over the age of 16.
You are always a data controller when you are collecting information that arrives directly into your business. For example – for example marketing, invoicing your clients, credit control for your business.
But if you are receiving personal data from a school when you are running a programme that is invoiced to them, then the situation may change. As far as this information goes you will be acting as a data processor.
For example if you organise a workshop at a school for teachers and the school pays and sends you the names of the people attending, then you are simply processing those names in order to deliver that workshop. Or if you run an after schools club that you charge a school for and they give you the names of the children who will be attending along with the names of their parents or guardians you will also be acting as a data processor.
You are doing something for the data controller and they are sharing data with you (it is called 3rd party data sharing) under a contract so that you can do what you promised to do.
Many people are confused about what personal data is. Data is just another word for information. It does not have to be stored or kept electronically. For example, registration sheets contain personal data.
It does not matter in terms of this definition whether that individual is in business or a private person, if you have information that on its own (or together with other elements of information) allows you to identify a living individual, then you are collecting personal data.
Even email addresses like info@ can be personal data if you combine them with a mobile telephone number to an individual who uses that email address and whose name you know.
This means that school contact data is usually just as much personal data as your team member or customer data.
Common problems for child centred businesses
Despite all the confusion around safeguarding and how it affects data privacy rights, the biggest area of confusion is collecting, sharing and storing data in inappropriate ways.
There are a host of online booking systems and support systems that whisk information up into the cloud and straight off to other countries. Simply by uploading information into them you are exporting data overseas.
Children’s data needs to be properly secured and stored and exporting it all overseas without an appropriate adult’s knowledge or consent is not a way to handle this.
As a data controller it is your job to check what is going on and to choose appropriate platforms that do not whisk your data away, or to set up appropriate processes to make sure people are properly informed when this is doing on.
Some data controllers share too much data. We have seen team leaders wanting to share every child’s details with a team leader who is running just one class. There is no need for them to see information about children they are not going to see in their classes. It just increases the amount of data at risk. And if you let them download childrens data to their own phones and computers you and they are increasing the risk – what if their systems get hacked or their phone is list.
A little bit of planning goes a long way to avoiding disaster.
In this short series of blogs we will be exploring some of the common scenarios and mix ups you will face. These come from support queries in our dedicated gdpr for child centred business group. They are not made up or imagined.