Guide to using the GDPR Pack for the Early Years Sector

The below guide is taken from the first part of our GDPR Pack, we are providing this here to give you some idea of what is involved in updating your policies and procedures for compliance with the GDPR. Click here for more information on the GDPR (General Data Protection Regulation) and how you can bring your early years service policies up to date with the help of our GDPR Pack.

GDPR and You

The General Data Protection Regulations, 2018 are designed to shift how we think about data protection. Broad in scope, the regulation expands what counts as personal data and grants new rights to individual data subjects. The regulation applies to any organisation, in or out of the EU, processing data on EU data subjects.

GDPR is a compliance regulation. The intent of the regulation is to assure that all organisations including Early Years’ services provide individuals with more control over their personal data. That intent is set out in the GDPR which is a set of complex new rules about data privacy, including consent, access, portability, erasure, notification of breach, and more. Penalties for noncompliance can be significant. The GDPR comprises 11 chapters, 99 articles, and 173 recitals.

Building data privacy and protection into your early years’ services touches every part of your service from parents, children, staff to your suppliers and contracts you have with compliance and funding authorities.
This pack will assist you develop your own privacy programme. You will need to identify what data you use, where it lives, and how you use it. We have done this for you. It is the Personal Data Register. You will need to establish protocols to secure personal data. Data should not be accessible to those who should not have access to it.


This is a quick guide to using the GDPR Pack. For further information and advice contact
For ease of use, all the policies, procedures, sample letters and data register are in one policy with the various other items as appendices. You should read the full document carefully.

Please note that as these the GDPR are new regulations we will review this pack and update it if necessary.


Action 1
Adapt the Data Protection Policy & Procedure

A sample policy is included. Read the policy carefully and insert the relevant information into the areas marked in red or highlighted. Remove anything that is not relevant. For example, if you don’t have CCTV please remove this section.

Action 2
Parents and Guardians

Parents should receive the new enrolment form and a copy of the Privacy Notice (Appendix III of Policy).

Action 3

Staff should receive:

  • The Contract of Employment (separate document) for new staff joining the service
  • An Addendum to the Contract of Employment (if your staff have contracts already) (separate document)
  • Privacy Notice (Appendix II of Policy)

Note: any medical/health data requires explicit consent.

Action 4

If you have a website, you will need a Privacy Notice (Appendix VI of Policy).

Action 5

If you share information with any third party or if a third party (accountant, payroll, HR advisor) processes data from your service you should ask them to complete a due diligence to ensure they are GDPR compliant and the data you share is safe.

Action 6

Services should ensure that all staff receive data protection awareness training.

Action 7

Check the physical security of your data. Refer to the Policy for more information

This pack is for your use only and must not be shared without permission


Data and information is provided for informational purposes for the Early Years Section only, and it is not intended for any other commercial or non-commercial purposes. Neither us nor any of our data or content providers shall be liable for any errors or delays in the content, or for any actions taken in reliance thereon and service providers should seek legal advice in relation to any specific queries regarding the application of the GDPR to the operation of their service where required.

Related products:

WP Popup