GDPR Overview

The General Data Protection Regulation (“GDPR”) will take effect across the European Union from 25th May 2018. It replaces the Data Protection Act 1998.

The GDPR is designed to harmonise data protection and privacy laws across the European union. It will bring about some changes in how businesses like us can use personal data relating to individuals and it provides individuals with more rights in relation to the use of their personal data.

Regardless of Britain’s plans to leave the EU, all organisations within the UK will still be required to comply with GDPR with effect from 25th May 2018.

We have implemented the following changes and actions in our commitment to be fully GDPR compliant:

  • Update of our Privacy Notice and Terms
  • Review and documentation of our policies and day-to-day activities in relation to personal data
  • Activation of technical updates in relation to personal data
  • Update of our consent mechanisms
  • Training our staff in relation to GDPR
  • Data Audit to review and implement GDPR compliance measures

Here are some FAQ’s to help answer any questions you may have

How will the GDPR affect my childcare setting and how should I prepare?

There are a lot of resources and information available which should help you navigate the new GDPR in the context of your childcare business.  Here are some useful links to our partner PACEY as well as the NDNA – National Day Nursery Association and the ICO – Information Commissioner’s Office.  You can also contact our Kinderly Support via live chat, email support@kinderly.co.uk if you have any specific questions around GDPR and Kinderly.

How is the relationship between Kinderly and a childcare setting defined for the purpose of GDPR and the processing of data?

There are two key relationships that are defined in the GDPR: controllers and processors.   As a childcare provider, it is important to understand this relationship to ensure compliance for your setting and when using software such as Kinderly.

According to the GDPR, Kinderly is considered as a processor and performs the role of processing data supplied by their customers – the childcare setting or the parent, each of who are defined as the controller.

As the controller, the childcare setting or the parent determines what personal data is provided and how and why that personal data is processed. As the processor,  Kinderly processes that personal data in accordance with the instructions of the controller.

As a processor, we rely on our customer to ensure that there is a lawful basis for processing the personal data they provide.  This is set out in our Terms of Use 

What is a Controller and a Processor?

Controller – “means the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data”
Processor – “means a natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller”

The organisations that determine the means of processing personal data are controllers, regardless of whether they directly collect the data from data subjects.

A childcare practitioner choosing to use Kinderly to process the data provided to Kinderly by them, makes them the Controller and Kinderly the Processor.

Does Kinderly share my data with any other companies?

In order to deliver our service Kinderly may leverage other third-parties in the processing of personal data. These are commonly referred to as sub-processors.  For example Kinderly uses Stripe to process subscription payments, Rackspace to host data and Intercom for supporting our users.  Kinderly is putting in place a contract with its sub-processors which will contain provisions required by GDPR.

We will not share your data with any companies for the purposes of marketing or any activities you have not given explicit consent to in our Terms of Use.  Here is a list of current sub-processors:

  • Intercom
  • Xero
  • Stripe
  • MailGun
  • Rackspace (for hosting)

Does GDPR have special rules around a child’s data and consent?

The GDPR provides special protection for children’s personal data. If your organisation offers online services (‘information society services’) to children and relies on consent to collect information about them, then you may need a parent or guardian’s consent in order to process their personal data lawfully.

The GDPR sets the age when a child can give their own consent to this processing at 16 (although this may be lowered to a minimum of 13 in the UK). If a child is younger then you will need to get consent from a person holding ‘parental responsibility’.  For more information on this go to the ICO section on Children

Where does Kinderly store all of the child’s data files (observations, photo’s, video’s, learning journey)?

Kinderly uses a UK based data centre provided by the server hosting company Rackspace to store all the data. Rackspace is one of Kinderly’s sub-processors, as referred to above.

What tier level does the data centre have  of where the data is stored for Kinderly, so that I can tell the child’s parents?

The data on Kinderly is stored by Rackspace.  Rackspace have an equivalent of Tier 4 level uptime with the London data centre having a Critical Infrastructure Rating N+2.
(https://www.rackspace.com/en-gb/about/datacenters.https://www.rackspace.com/en-gb/compliance, https://www.rackspace.com/en-gb/compliance/iso)

How will GDPR affect Kinderly?

There should be no interruption to your access to Kinderly or to the reports and information generated from data that you have input into Kinderly. We have always taken data protection very seriously but our GDPR updates just mean that your data is now even more secure.  See above for the changes we are making to be compliant with the GDPR.

How long will Kinderly keep attendance registers and accident records and do I have the right to delete them?

We will keep these registers and records for the period determined by best practice in the education sector or as determined by law.

We are awaiting guidelines and further clarification from the ICO specific to the childcare sector and will update this section accordingly.

What happens to the observations and all the data entered to Kinderly when a child leaves the setting?

We will keep these registers and records for the period determined by best practice in the education sector or as determined by law.

We are awaiting guidelines and further clarification from the ICO specific to the childcare sector and will update this section accordingly.

What happens to my data if I decide to unsubscribe from Kinderly?

In accordance with the GDPR, Kinderly will, within a reasonable period. securely delete, destroy or, if directed in writing, return the users personal data which is in our possession or control unless a copy of the data is required for any applicable legal, regulatory or government reasons. Please refer to our Terms for more information.

Can I review, amend or export my data?

In line with GDPR, Kinderly has updated their procedures to ensure that it is easier for you to access your data and to review and amend it.  Please contact support@kinderly.co.uk with any requests around data portability.

Who should I contact if I need more help about the data stored with Kinderly?

Please email support@kinderly.co.uk or contact us via the live chat facility on the admin dashboard.