Our use of cookies

We use necessary cookies to make our site work. We’d also like to set analytics cookies to help us understand how our site is used.

For more information about the cookies we use, see our cookies page.

Cookie settings

To change cookie settings at anytime, see our cookie settings page.

Necessary cookies

We need to use some cookies to provide essential functionality, such as, security and accessibility. These are called necessary cookies. You can disable them by changing your browser preferences, but our site might not function correctly without them.

Skip to main content

General Data Protection Regulations (GDPR) for early years providers

The General Data Protection Regulation (GDPR) is a European Union law that came into effect on 25 May 2018. It replaced the earlier Data Protection Act 1998 and introduced stronger protections for individuals' personal data.

For early years providers - such as nurseries, preschools, and childminders - GDPR applies because these settings handle personal information about children, their parents or guardians, and staff. This data must be managed carefully and lawfully to protect everyone's privacy.

Under GDPR, data must be collected and processed fairly, transparently, and only for clear, legitimate reasons. Early years providers should only gather data that is necessary, keep it accurate and up to date, and not retain it longer than needed. You are also required to protect the data from unauthorized access, loss, or misuse through appropriate security measures.

Consent is a key part of GDPR, meaning that providers must obtain clear permission from parents or guardians before collecting or sharing children's personal information, especially sensitive data like health details. Parents and, where appropriate, children have rights to access the information held about them, request corrections, or ask for data to be erased.

In the event of a data breach, early years providers are obliged to notify the relevant authority quickly and inform affected individuals if their privacy is at risk. By following these principles, early years providers help ensure the privacy and safety of the children and families in their care.

For further information to ensure you are compliant with GDPR, please refer to the following trusted sources:

  • Information Commissioner's Office (ICO): The ICO is the UK's independent authority on data protection and privacy. Their website offers detailed guidance, resources, and tools specifically designed to help early years providers understand and meet GDPR requirements.
  • Early Years Alliance: This organisation provides support and advice for early years professionals, including practical guidance on data protection and GDPR compliance tailored to childcare settings.
  • Herefordshire Records Management: They provide guidance on the legal and recommended retention periods for records kept by early years providers, helping you understand how long different types of data should be securely stored before disposal.