GDPR for nurseries: an expert’s view

Children’s data, security and the law for nurseries, with Steve McConnell, NDNA Director of Technology.

The Data Protection Act 2018, also known as the General Data Protection Regulation (GDPR) came into force on the 25th May 2018. Following its implementation there are still continuing questions regards data security across the sector.

To help I have listed the key points which should be considered, on a monthly basis, by your management teams. This does not need to be an onerous task but needs to be a regular reminder of where you are.


  • Children and parents need particular protection when you are collecting and processing their personal data because they may be less aware of the risks involved.
  • Think about the needs of children and parents from the outset and design your systems and processes with this in mind.
  • Compliance with the data protection principles and in particular fairness should be central to all your processing of personal data.
  • You need to have a lawful basis for holding and processing personal data. Consent is one possible lawful basis for processing, but it is not the only option. As mentioned in our training courses, Nurseries have a legal obligation to collect and process children’s data for their own use and on behalf of other external parties for example local authorities, Ofsted and HMRC. The legal obligation to process children’s data in most circumstances overrides many of the data protection principles.
  • You need to get consent from whoever holds parental responsibility for the child, retain this consent and track any modifications.
  • Children merit specific protection when you use their personal data for marketing purposes for example using photographs of children for extended periods of time.
  • You should write clear privacy notices for parents so that they are able to understand what will happen to their and their children’s personal data, and what rights they have. Your processes should complement these notices.
  • Children have the same rights as adults over their personal data and could request data access later in life. For example, they may want to see what personal data you hold; request rectification; object to processing and have their personal data erased. Again your processes should cater for all of these requirements.
  • An individual’s right to erasure is particularly relevant if they gave their consent to processing when they were a child.

See a quick checklist to check where you are with GDPR at your nursery here.

Remember, you can still access NDNA’s full FAQs from nurseries here, including a free data audit download and other resources. 

GDPR resources for nurseries

GDPR Privacy Notice for nurseries:

  • FREE GDPR Privacy Notice for nursery members here
  • View headings to use in your own Privacy Notice here

GDPR record retention for nurseries:

GDPR factsheets for nurseries:

  • early years
  • GDPR
  • GDPR for nurseries

Similar Articles

NDNA Nursery Awards 2024: Spotlight on last year's winner - Overall Nursery of the Year Award

With the NDNA Awards 2024 nominations kicking off to a great start this month, we…
Read more

Top tips for working with children under three

Fundamentally, practitioners need to know and understand how caring for young children and meeting their…
Read more
Working with children under three: Old Station Nursery

GDPR Privacy Notice - England

£175.00 incl. VAT

or £0.00 for members. Become a member

Privacy Notice - England