Play

Today on The GDPR Series podcast, our focus is straight business talk, children’s data and moving from paper to digital!  I chat with a creative business owner who deals with most of her data protection compliance tasks herself.  Besides helping me translate data protection compliance language into plain speak,  she shares with us how to just get on and do what needs doing.  This business owner writes her own policies and does her own vendor risk assessments!  Listen to find out more.

Our guest today is Stephanie McSherry the creative, and all-round wonder(ful) woman, owner of Kinderama.  Kinderama is a unique multi-activity series of classes developed for the younger child’s abilities and attention span where every week has a different theme.  Steph knows kids and kids love to try new things so Kinderama offers a huge variety of activities including dance, drama, music, gymnastics, yoga, sport and mindfulness.  Besides classes, Kinderema offers holiday camps and voucher sales.

In this episode, Steph shares how she goes about meeting her data protection compliance requirements in really practical, no-nonsense ways.  Steph has a common sense and direct approach which really works for SME GDPR compliance.  We discuss the responsibility involved in minding children’s data, including special categories of data (health data), minding the movement of data between locations, assessing vendors and the responsibilities of paper-based data versus digital data.  If you’d like to learn more about Kinderama or book your smallies into classes or camps, you can use the contact details below.

Tel: 086 2446433
E-mail: info@kinderama.com

Kinderama Website

Interview Transcription:

Philipa Farley 0:01
Hi, and welcome to our podcast called The GDPR Series, where we discuss data protection, privacy, and cyber security matters that ordinary people in everyday businesses face. We have a series of really interesting and lovely guests and we hope you enjoy listening along with us.

Thank you so much for joining us, Steph. Stephanie McSherry, your business is Kinderama. I’m going to let you do the introduction for the business because you know it best, but I just want to say thank you for your time. And, it’s a real pleasure to chat to you as a real business out there dealing with what we consider to be a vulnerable group of people: children, and looking after children’s data. So just a short discussion on that but yeah, tell us a bit about Kinderama.

Stephanie McSherry 0:50
Okay, so Kinderama is a programme that pre-schools and creches can buy in, or the parents can buy in. It’s a multi-activity programme. So we do a little bit of everything: dance, drama, sports, music, yoga, and just for pre-school aged children. So they’ve got a little bit of everything to try. And we also run kind of mini camps during the school holidays: kind of two or four day camps, for pre-schoolers, getting them ready for the school environment.

Okay, so when I hear that story, what I hear is that you have actually quite a fast turnover of quite large amounts, or groups, of data subjects: children. So, your records must be massive, and your record management must be quite intense for you, besides the, I suppose, the management within programmes of records, the retention is quite an issue, in terms of data protection. Yeah. Those are the words I hear when you’re talking. Other people will hear beautiful classes, you know, fun stuff, and I’m kind of going like: “Oh my god, how do you actually even stay on top of that?” Because it’s really intense and it takes up a lot of time. And that’s kind of what we’re focusing on with these chats with business owners is managing the data protection in a realistic way. Simply.

Philipa Farley 2:10
Yes. And then, and so our turnover would be yearly. So anyone that enrols with us in a September, we would keep their records until the following September, and then everybody gets re-enrolled, even if the children have spent more than one year with us. And, at the moment, we enroll them on hard copy. They, the parents, fill out a piece of paper, it states their name, address, their email address. Sorry, their name, their email address, their telephone number, and any medical issues. But obviously, all of that information is relating to a child, so we have to be very careful. So that’s, well, what used to happen to it. And what still happens to it is fine, but I wasn’t aware of any GDPR until it got talked about in a business group I was in. But, actually it turns out what I’m doing is fine, because that form gets locked away in a secure cabinet in my office, and nobody else has access to it from that point on for the year. And then, it gets commercially shredded. And then, we start again the next year.

Stephanie McSherry 3:13
Yeah. And you see – sorry to interrupt you, Steph – and, on that point of locking it up, and nobody has access to it except for you. Why, particularly, is that? Besides the fact that they are children.

Philipa Farley 3:31
Well, and despite that, well, because of GDPR regulations. So nobody – I don’t want anyone in the nursery having access to it. I don’t want any of my staff, they will know the information that’s relevant to them, as in a medical situation, or an allergy, or something going on with the child, but apart from that, they don’t need any of that information. It’s only me that needs it. We retain those records by contacting the parents directly, chasing payments, or dealing with a situation within the creche, like a Child Protection issue. So, nobody needs access to it; just me.

Stephanie McSherry 4:07
And that’s fantastic, because you see, we as Data Protection professionals, business owners, you know, helpers, whatever you want to call us… We would be throwing out terms like data minimisation, you know, sort of need to know, access, security measures. And, I think, our terminology really scares people away a lot of time. Where, if you’re just sitting having a cup of coffee, which I mean – full disclosure, we’ve done plenty of times – and talked about this kind of thing. You’re saying it in your way, and I’m saying it in my way, and we find some middle ground, where immediately I would say your hard copies contain special categories of data, medical related information, and that’s kind of on a need to know basis, and you’re instituting appropriate security measures over that.

Philipa Farley 4:51
Yes. I think, when I would have heard your terminology right at the beginning, when GDPR became relevant in the press, I would have thought that doesn’t apply to me, simply because I was holding a hard copy. I didn’t think it applied to us. It made us change the way we do the registrations at camp. Because we would have had that information openly on the table where people are sitting in – they would have been able to see everybody else’s information. So how, you know, we have a tick off system, where we have that information, and they’re just signing to say that they’re there. They can’t see anyone else’s information. And then again, that gets you know, once the girls that are running the camp know exactly who you are, what’s going on with who if there’s any different needs that need looking after; that information gets removed from the building.

Stephanie McSherry 5:40
Yeah, and honestly, Steph, this is a professional opinion: I think that you found a fantastic balance between not burdening your employees and the people who work for you in various different roles. You’re not overburdening them with compliance requirements, but you’re meeting your obligations under the law, which is a huge message to send out to people; because people say it’s just too much or it takes up too much time, or it’s going to disturb our processes, and our flows too much. There is definitely a way that everybody can embed these good practices into their businesses. And that’s what we’re trying to show people.

Philipa Farley 6:19
It’s just an assessment really, of what you’re doing and what needs changing, and I feel very secure. Now a lot of our clients would be creches. So, if they got audited, and they needed to know well, hang on, we outsource this to you; where does this information go? I can say with confidence, it is stored away securely. Nobody has access to it. The girls have the pieces of information that they need, and that’s it. We’re safe in the knowledge that we’re doing the right thing for our clients as well.

Stephanie McSherry 6:47
Exactly. You have an interesting supply chain there because, I think, it gets slightly complex at times. We won’t go into specific details, about here’s the data processor, who’s the data controller? You know, are you joint controllers of information. So, at times, it does require a bit of strategic thinking before you put your compliance into action. But, you know, it’s manageable. And, as you say, it’s that peace of mind, and and knowing exactly where data is, who is seeing it, what’s happening to it, and being able to answer the questions. I think a lot of people battle to answer those questions. You’ve made a big change recently, and I’m just going to throw this kind of at you very briefly: you are making a big change to more digital-based processes, rather than paper-based processes. Would data protection have had a dealing for that change, or is that more a business-based decision, where the compliance has kind of come into the decision making?

Philipa Farley 7:49
It’s a little bit of both. As we grow, I realised, you know, the further away creches are from where we’re based, that maybe I’m not going to be able to physically handle every piece of paper that gets filled out. So, I wanted to find a company that could I could outsource that to, but that it would, it would look the same. So it’s just people going online. Our parents and our creches, going online, making a booking making enrollments, and processing payments. But it all looks like it’s going through ours. So the company, we chose is Class For Kids. They’re based in Scotland. And one of the first questions I asked was: where is that all the data held? It’s in Ireland, and I was trying to find out exactly what the data processing agreement would be between us, because obviously, then we’re into entering into a joint data processing agreement, and making sure that their privacy policy and their GDPR compliance, because obviously we’re now handling those areas of enrollments and payments and all the thing that we still want to keep private, and that they’re handling that with me.

Stephanie McSherry 9:00
Yeah, and you see Steph, again, it’s what I said to you about the language that we both use: I would throw big terms out, and I know some of my colleagues would throw big terms out, and we kind of lose touch a little bit with the very practical way that you’re handling it.

Philipa Farley 9:16
And sometimes it doesn’t just involve us as your client. Sorry, I don’t understand that. What does it mean? It’s a new language for us. It’s a completely new field that we have to look after. And I think sometimes it’s just being brave enough to say: “Sorry, I don’t understand what you mean by that. Can you explain it to me?” And, you’re very good at kind of breaking it down and saying: “Well, you’re doing this, you’re breaking this down, you know, you’re entering this relationship here. I’m going to break that down. That means they’re now jointly responsible for that process with you. So check this out and the other…” And that it just involves conversation sometimes.

Stephanie McSherry 9:49
Exactly, and just talking about issues is a great way of troubleshooting actually. If you could give a piece of advice to a potential client of yours or somebody who’s similar to you in business, because we would also be big proponents of helping people who are similar to us in business – we don’t kind of keep knowledge to ourselves. You know, just basically on that, that small point of assessing your suppliers, because you’re putting a lot of trust onto them to look after your information, your clients’ information, your children’s information, in a way that would meet your expectations. So three points, five points, short points on how to assess a supplier?

Philipa Farley 10:43
Well, I would, first of all, think you know, GDPR sounds a big, scary thing. And, sometimes, you can put it on the long finger or think that doesn’t apply to me. I definitely think now is the time to have the conversation, because you don’t want to be having it when you’re audited, and you don’t somebody picking up the phone and saying: “What is your process? What are you doing with this information?” You don’t have a clue. So just start and just take the first step and have a look: where are you holding all this information? If you’re looking to outsource it, like we did, then having those conversations: “Where are they holding the data? Who’s accessing that data? Where is that written down? What’s in their privacy policy? What’s in the GDPR compliance, in the cookie, that we do?” We now approve cookies and things like that, all of that needs looking at. Either you’re doing it for yourself, or you’re looking at the company that’s doing it for you and making sure that they’re compliant. And just not putting off – some of these things sound like big, scary things, and that’s going to be complicated, that’s going to be expensive. But, actually, when you look into it, it’s not at all. And I think, you know, it’s peace of mind, knowing that you can say to your clients, your customers, and for us, our parents, that their information is safe.

Stephanie McSherry 11:58
And, I want to say one more thing about you, Steph, if you don’t mind, and we can cut it out if you don’t like it, but I think you will like it. You wrote most of your policies yourself, did you not?

Philipa Farley 12:08
I did, yes. I did a lot of reading and putting it into language that I know precisely: I can read, I can understand, I know what that means. I know how to opt out of things if I don’t to use them, so you could do you can do that yourself. And it’s so important to write it that way, so that you can read somebody else’s – that’s maybe in a similar industry to you – and steal the bits that you like, or just reword them slightly, as you said. We all have to end up compliant, so we may as well have a look at that and use it.

Stephanie McSherry 12:41
Yeah, I know. And some people would say it’s plagiarism, like maybe technically it is whatever, but I look at it and say, it’s kind of like, industry best practice. And if you’re assessing who is doing things in a space similar to you and you go and you look to see what their practices are, you might find you’re further ahead on the journey that they are, or, you know, they are further ahead on the journey than you are. And, it’s actually, it makes everybody better if we are assessing each other, and benchmarking against our requirements under the law and seeing, okay, are we meeting or are we not meeting it, and rewriting those policies as we go along. I particularly like your policies, because they are written in your voice, and they are written in a way that your people can understand them. And that’s so, so important because that’s one of the actual requirements, is that we write in plain language for the audience. So, when you’re writing for parents, or when you’re writing for children, particularly, you know, you shouldn’t ask somebody like me to write it because I can’t write. I actually I’m incapable of writing in a way that a child will understand. Yeah, I have a person that I put that through as a filter, you know, who can write that way. So, yeah, I just I wanted to bring that up because people think that they must hire somebody from the outside, to write their policies. No.

Philipa Farley 14:01
Sometimes, I think, you because if you want, if you want to understand it yourself and you want your customers to understand it, it has to be in a language that everybody understands. So you know exactly what you’re explaining to the parents. And exactly for our staff even, this is what’s happening; this is why we can’t do this anymore, or this is why we have to change this.

Stephanie McSherry 14:25
So, if you gave one piece of advice to a client of yours, but we kind of discussed that, but you can say if you want to do another one, like if a nursery or a creche was looking to get, you know, a kids class provider in, what would one piece of advice be to them?

Philipa Farley 14:43
I woud definitely be checking that they’re fully insured, first of all, and making sure that all that information is GDPR compliant, and that their data processing room where are they are holding children’s information at the end of the day, particularly for a creche, if you’re outsourcing a programme of some description, you want to know that all your children’s information is being held safely.

Stephanie McSherry 15:08
Absolutely. You know, the last thing anybody wants to deal with is a data breach or an incident. You know, I can’t say that I’ve dealt with too many access requests in your space, you know, yeah, your space is very lovely. So we don’t have too many angry people coming along, but you know, there’s obviously like the small things that can slip through the cracks like you know, a newsletter or marketing going out to somebody that hasn’t opted in. Yes, there might be a bit of smoothing out there that happens.

Philipa Farley 15:41
Or, as you pointed out once to me, collecting information that you don’t need. Sometimes, we automatically put these forms – be them online or on paper – where you’re asked their name, their address, the date of birth, and this, that, and the other. And then, you pointed out to me: “why are you needing this information?” Because suddenly going, oh, maybe we don’t. I don’t need to know their address. You know, it’s just small little details like to make sure that you’re collecting the information that you need to do the job that you want to do.

Stephanie McSherry 16:08
Absolutely. So that’s like an audit of your forms and processes just going in and asking why, why, why, ,what do we do with this? What do we do with it?

Philipa Farley 16:17
Why do we need it ? What are we doing with it? And we get it might be that you come out at the end of that process and say, yeah, we need all that information. But, for me, I suddenly realised I was connecting a whole load of data that I didn’t need. So, we completely changed our forms, and just collected the data that we needed.

Stephanie McSherry 16:32
Your website is lovely. I still really love it. It’s not difficult to understand and the links are all there in the correct place. You can, you know, manage your cookie preferences. You can see the policies; you can get in touch easily. So, you know, like, I think the point really is, Steph, and I really would like to say it, again, is that: compliance is not onerous. It might feel difficult, but it isn’t.

Philipa Farley 16:58
Clear communication, I think, is the key. Clear communication with whatever your customer or client is, and you need to communicate clearly just what you’re doing with their information and where it’s being held.

Stephanie McSherry 17:08
Yeah. Thank you so much. No. Do you want to say anything else?

Philipa Farley 17:13
No, this is fun.

Stephanie McSherry 17:16
GDPR is fun, Steph.

Okay, let’s not go that far. No, we won’t go that far.

We hope you enjoyed that episode of The GDPR Series. If you do, please subscribe. Find us on social media. We love to have a chat.

 

Philipa Jane Farley
Written By Philipa Jane Farley

Philipa is the lead consultant and auditor at ProPrivacy.  With clients as far afield as Canada, South Africa, Kenya, Germany, Spain and other such exotic locations, besides Cork and elsewhere in Ireland, Philipa enjoys a broad view of the state of data protection, privacy and cyber security worldwide.  Philipa’s passion is manageable data compliance for SMEs.

Philipa is a qualified teacher besides holding a computer science (Bachelor of Science in Artificial Intelligence Programming) and electronic and intellectual property law (LLB) qualified. She is trained in constitutional (fundamental) rights litigation and enjoys a good debate.

Philipa has over twenty years of experience working in different sized organisations and sectors on operational, governance, risk management and compliance matters. She is an analytical and focused person that enjoys a challenge in the workplace. She loves technology, systems and people and has a passion for showing people how technology can make life easier and better. She understands that the world is driven by data today but privacy is paramount. Responsibly developed AI excites Philipa for the future.