Our use of cookies

We use necessary cookies to make our site work. We’d also like to set analytics cookies to help us understand how our site is used.

For more information about the cookies we use, see our cookies page.


Cookie settings

To change cookie settings at anytime, see our cookie settings page.


Necessary cookies

We need to use some cookies to provide essential functionality, such as, security and accessibility. These are called necessary cookies. You can disable them by changing your browser preferences, but our site might not function correctly without them.

Skip to main content

Support with domestic abuse

If you are experiencing domestic abuse, help is available. Major sporting events can be a difficult time for some people. If you are worried about your own safety, or that of someone you know, confidential support and advice are available on our domestic abuse page.

General Data Protection Regulations (GDPR) for early years providers

The General Data Protection Regulation (GDPR) came into effect on 25 May 2018 and sets out how organisations must collect, use, store and protect personal information.

Early years providers, including nurseries, pre-schools and childminders, process personal data about children, parents, carers and staff. This means you must ensure that information is handled lawfully, securely and transparently.

Key GDPR responsibilities

Early years providers must:

  • Collect personal data only for legitimate purposes
  • Only gather information that is necessary for those purposes
  • Keep records accurate and up to date
  • Store information securely and protect it from unauthorised access, loss or misuse
  • Retain records only for as long as required
  • Be able to demonstrate compliance with data protection requirements

Consent and individual rights

Where consent is required, it must be clear, informed and freely given. This is particularly important when processing sensitive information, such as health or medical details.

Individuals have rights under GDPR, including the right to:

  • Access their personal information
  • Request corrections to inaccurate information
  • Request the deletion of data in certain circumstances
  • Understand how their information is being used

Data breaches

If a personal data breach occurs, providers must take appropriate action and may need to report the breach to the Information Commissioner's Office (ICO). In some cases, affected individuals must also be informed.

Further guidance

To help ensure your setting remains compliant with GDPR, refer to the following trusted sources:

This guidance should be used alongside a setting's data protection policies and procedures.