read child

What is GDPR?

The General Data Protection Act

The previous Data Protection Act was revamped and replaced by the General Data Protection Act in 2018. It gives greater power to the individual to control how their data is used and stored and places a greater responsibility on organisations to be transparent with their data.

It is the reason that all websites must tell you what cookies they are placing on your computer and how those cookies will be used and what the data will go to. It is also the reason you can get rid of any cookie you do not want and change data that has been recorded about you.

Data protection terminology

The Information Commissioners Office (ICO) has a website with a ton of information, riddled with jargon and technical terms. It is an information overload that isn’t well organised and can be extremely confusing. That is why we’ve set out a list to help you wade through the jargon. The following are definitions of the most common terms associated with data protection.

These are the key terms you have to know.

  • Data subject: the person whose data is being processed. This could be a child, an employee, a teacher or a volunteer or Fred on YouTube who is letting Google collect data about the cat videos he likes to watch.
  • Personal data:  any information about an individual that could be used to identify them in any way, such as names, addresses, phone numbers, parental contact details, employment records or photographs, It is irrelevant whether the information is stored electronically or on paper.
  • Data controller: the person in control of the data, as in the head honcho who is decided how the information is being stored and use. Usually the owner or management committee.
  • Processing data:  doing anything with data such as obtaining data in any way, recording and storing, organising, sharing and deleting data. This could be by sending out and collecting forms asking for personal contact details, medical forms, accident records, attendance records, staff appraisals, salary info, wage slips etc.
  • Data processor: Anyone who is processing data on behalf of the data controller but is not the employer of the data subject. This could be your payroll processor or an external administrator.

What am I obligated to do under the GDPR?

The GDPA is just an extension of the DPA, as long as you’re meeting DPA guidelines, you’re meeting GDPR guidelines. You must make sure that the data is;

  • Collected and processed for a lawful reason (such as to let Fred see more cat videos and not to steal his credit card information), and in a fair and transparent way, transparent means the data subject should know what data you’re taking and what you are using it for.
  • Only used for the purpose that you originally collected it
  • Relevant, only what’s needed for the purpose it was collected for
  • Accurate and up to date
  • Only kept for as long as necessary (for example, deleted after a pupil leaves the school)
  • Kept secure.

Not only must you comply with all these principals you must be able to demonstrate your compliance.

How to comply with GDPR in practical terms

You need to make sure you’re covering all the points in the GDPR. In practical terms this means you should audit your company to assess all the data you have, where you are storing it, what you use it for and who you share it with. Then you can assess that you’re complying with the standards.

A good idea would be to appoint someone in charge of collecting and managing data. If your organisation is small, you don’t need a data protection officer, but someone should be on top of your data collection and making sure you’re complying with GDPR.

Just like when you surf the web and every website tells you about the cookies and makes sure you consent to them, you must make sure your data subjects know when and why you’re collecting data. Tell them how long the data will be stored for and what you’ll use it for. This could be sent out as a policy notice to members or customers, the first time that you request data from them.

Make sure that data subjects know how to complain and request that you delete their data. Then make sure that someone is dealing with these requests, within a month at most.

All your staff should be aware of and trained in all principals of GDPR/ If one of your volunteers takes a picture with a child from your club and posts it on their personal Instagram, they’ve violated GDPR and you will be held liable. Cover yourself by making sure they know the law,

By becoming a member of ICAP you’re joining a community of like-minded professionals and business owners in the children’s activity sector working towards excellence

Pip Wilkins

Pip Wilkins is the Chief Executive of the British Franchise Association (bfa). With 25 years’ experience in the franchise sector, Pip has worked her way up within the Association, gaining insight from all areas of the business and the franchise industry. She is well-known and highly regarded in franchising for her dedication and depth of knowledge. Pip regularly speaks at conferences and seminars both domestically and internationally, as well as writing on franchising matters for national, local and franchising trade press. Pip is also a regular judge for the annual bfa HSBC Franchise Awards, the Franchise Marketing Awards and Global Franchise Awards. Pip represents the UK at both the European Franchise Federation (EFF) and World Franchise Council (WFC). The bfa has grown to be one of the largest franchise associations in Europe, and one of the most successful associations in the world.

Theo Millward

Theo Millward is a graduate of Lancaster University with a BBA in Management. In 2016 Theo purchased UK swim school, Swimtime from the founders which teaches 20,000 children a week. Following a multi-award- winning digital transformation, during the global pandemic, Theo and his team founded Franscape, a saas that digitally transforms Franchise brands. FranScape won New Business of the Year at the UK Business Awards.

Andy Georgiou

Andy is the Founder of ICAP and a leading UK Franchise Business Consultant. He is fiercely committed to helping children’s activity providers build successful and profitable businesses. With qualifications in Business Management, Digital Media and Marketing, he has helped build, advise and grow leading 6 and 7 fiqure children’s education, sports and activity brands in the past 17 years.

Frank Sahlein

Frank has been active in the Children’s Activity Center industry as an athlete, coach, business owner, consultant and business broker. He is a native of San Mateo, California and graduated from San Jose State University in California (USA).
Frank was a pioneer of the Children’s Learning Opportunity Center concept from 1976 – 2016 at the Wings Center in Boise, Idaho (USA) – a blend of Sports Instruction, Arts, Education, Entertainment and Outreach programs.
As a business management innovator, Frank has delivered over 1,000 presentations for a variety of Children’s Activity Center industries such as gymnastics, swimming, cheerleading, dance, martial arts/ninja and child care/education.
3rd Level Consulting is a Business Development and Service Provider Partner for private industry companies, associations, and organizations in the USA, Australia, Canada, New Zealand, Singapore, the United Kingdom, Mexico, and Panama.
Two-time recipient of the National Business Leader Award from USA Gymnastics, Frank is the author of “Building Your Business Potential” and “Designing Your Empowered Life”. He is the creator of the SmartEDGE™ Business Applications and Management Certification Courses. He is the co-founder of LEAP Learning and the MetaSpheres Corp, and is the founder and Executive Director of the International Association of Child Development Programs.
His passions include his beautiful wife Lourdes Gonzalez, family, friends, fitness training, transformational reading and travel.