GDPR Case Studies

The General Data Protection Regulation (“GDPR”) came into effect on 25 May 2018. As part of our work to support members in implementing GDPR, we have prepared some case studies which may be helpful for you in handling different scenarios in your service. 

1. Policies and Procedures Case Study

Case Study: It’s summer time and you are preparing for September. A few months ago, you heard about the General Data Protection Regulation (“GDPR”) which came into effect on 25 May 2018. You wondered whether this could have an impact on your service as you know that your service holds lots of personal details about children and parents. You are a member of Early Childhood Ireland and know that they have supports available for members like you to help you to comply with GDPR. You decide to investigate the matter further.

What should I do: On Early Childhood Ireland’s website, you go to the GDPR page where the template policies and procedures are available for free to download. Each template has a brief explanation to show what the purpose of it is. You download all the template policies and procedures and update them so that they include the name of your service. You make amendments to the policies to ensure they are applicable to your service. You include copies of the Data Protection Policy, Data Retention Policy, the Data Subject Access Request Procedure and the Privacy Notice for Parents in the pack of policies that you will distribute to parents of new children starting in September. You also distribute copies of the Employee Privacy Notice and Employee Data Protection Policy to staff so that they understand how you will manage and protect their own personal data.

2. Training Case Study

Case Study: Your staff team is preparing for the return of children in September. All staff have access to different amounts of personal data related to the children, for example, their address, parents phone numbers, details of any medical conditions etc. You would like staff to understand the importance of holding the personal data of children in order to ensure that this personal data is protected.

What should I do: Article 39 of the GDPR outlines that staff awareness raising and training is required. Having your staff trained will mean that the risk of a breach will be reduced. It is also important to document that employees have been trained so that if a breach does occur, you can prove that you took appropriate steps to prevent a data breach from occurring. Early Childhood Ireland offers online training for both Owner/Managers and staff. The training consists of a 40-minute module. The first 30 minutes covers the general principles of GDPR and your obligations under the regulations. The last 10 minutes covers a sector specific example of a childcare setting. Once the course is completed, employees receive a certificate of completion. You, as the employer, can hold these certificates on file.

For more GDPR case studies, please click here.