Safeguard-Me Blog

Getting the Balance Right Between GDPR and Safeguarding

2025-10-31 11:13
GDPR and safeguarding can feel like they're pulling in opposite directions. GDPR says, "Protect personal data and limit access." Safeguarding says, "Share information to protect children." So how do you balance the two?
The good news: GDPR and safeguarding are not in conflict. When you understand the rules, you'll see that GDPR actually supports good safeguarding practice. This week, we're focusing on reviewing your GDPR compliance for safeguarding data—including access permissions, retention policies, and data subject rights.
Let's break it down.

Why GDPR Matters for Safeguarding

Safeguarding data is some of the most sensitive information you'll handle. It includes:
  • Details of abuse, neglect, or harm
  • Personal information about children and families
  • Staff records, including DBS checks and allegations
  • Communication with social services, police, and other agencies
Under GDPR, this data is classified as special category data—which means it requires extra protection. But GDPR also recognises that safeguarding is a legal obligation, and it provides clear rules for how to handle this data lawfully.
The key principles:
  1. Lawfulness, fairness, and transparency: You must have a legal basis for processing safeguarding data (usually "legal obligation" or "vital interests")
  2. Purpose limitation: Use safeguarding data only for safeguarding purposes
  3. Data minimisation: Collect only the information you need
  4. Accuracy: Keep records up-to-date and correct
  5. Storage limitation: Don't keep data longer than necessary
  6. Integrity and confidentiality: Keep data secure and confidential

Step 1: Review Access Permissions

Who can access your safeguarding records?
One of the most common GDPR mistakes is giving too many people access to sensitive data. GDPR requires that access is limited to those who need to know to fulfil their role.
One feature of our platform is that you can control your admin team's access more easily and limit who they can see verses shared files on your generic document storage system.
Questions to ask:
  • Who currently has access to safeguarding records?
  • Do they all need access to do their job?
  • Are access permissions reviewed regularly?
  • Is access logged and monitored?
Best practice:
  • Limit access to the Designated Safeguarding Lead (DSL), deputies, and senior leaders
  • Use role-based access controls (e.g., central admin vs. team admin vs. staff)
  • Log who accesses what and when (audit trails),
  • Review permissions annually or when staff roles change
Example: A teaching assistant doesn't need access to all safeguarding case files—only information relevant to the children they support.
Our system has role profiles built in for a central admin lead such as a DSL, team admins who can manage groups of people such as locations or departments and then the staff passport profiles themselves. All of which is automatically logs who has access to what making it easier to ensure people only have access to what they're supposed to.

Step 2: Review Retention Policies

How long should you keep safeguarding records?
GDPR says you shouldn't keep personal data longer than necessary—but safeguarding records often need to be kept for many years (or even indefinitely in some cases).
Retention guidelines:
  • Safeguarding case records: Until the child reaches 25 (or longer if serious allegations)
  • Staff records (DBS, references, etc.): 6 months to 7 years, depending on the document
  • Allegations against staff: Indefinitely if substantiated; follow local authority guidance if unsubstantiated
  • Incident logs: Follow your organisation's retention policy (typically 3-7 years)
Questions to ask:
  • Do you have a documented retention policy?
  • Are retention periods based on legal requirements?
  • Do you review and delete records when retention periods expire?
  • Are expired records disposed of securely (shredding, secure deletion)?
Best practice:
  • Create a retention schedule that specifies how long to keep each type of record
  • Set calendar reminders to review and delete expired records
  • Use secure disposal methods (shredding for paper, secure deletion for digital)
Our system enables admins to delete whole records, profiles or individual documents as appropriate.

Step 3: Understand Data Subject Rights

Under GDPR, individuals (including children and parents) have rights over their personal data:
1. Right to be informed - You must tell people how you use their data (via privacy notices)
2. Right of access (Subject Access Requests - SARs) - Individuals can request a copy of their data. You must respond within one month.
3. Right to rectification - If data is inaccurate, individuals can ask you to correct it.
4. Right to erasure ("right to be forgotten") - Individuals can ask you to delete their data—but this right is limited when you have a legal obligation to keep records (e.g., safeguarding).
5. Right to restrict processing - Individuals can ask you to limit how you use their data.
6. Right to object - Individuals can object to certain types of processing (but not safeguarding, which is a legal obligation).
Questions to ask:
  • Do you have a process for handling Subject Access Requests?
  • Do your privacy notices explain how you use safeguarding data?
  • Do you know when you can (and can't) delete safeguarding records?
Best practice:
  • Create clear privacy notices for parents, staff, and children (age-appropriate language)
  • Train staff on how to handle SARs
  • Understand the exemptions: you don't have to disclose information that would harm a child or prejudice an investigation

Step 4: Review Data Sharing Practices

Safeguarding often requires sharing information with external agencies (social services, police, schools, etc.). GDPR allows this—but you must do it lawfully and securely.
Questions to ask:
  • Do you have data-sharing agreements with external agencies?
  • Do you share information securely (encrypted email, secure platforms)?
  • Do you document what information you shared, with whom, and why?
  • Do you only share information on a need-to-know basis?
Best practice:
  • Use secure methods to share information (encrypted email, secure file transfer)
  • Document all information-sharing decisions
  • Share only the minimum information necessary
  • Ensure external agencies also comply with GDPR
Our platform lets you easily share individual profiles and your wider company policy documents securely and compliantly.

Step 5: Conduct a GDPR Audit

Use this checklist to review your GDPR compliance:
Access Permissions:
Access limited to those who need to know
Role-based access controls in place
Access permissions reviewed regularly
Audit trails track who accesses what
Retention Policies:
Documented retention schedule in place
Retention periods based on legal requirements
Expired records reviewed and deleted
Secure disposal procedures for expired records
Data Subject Rights:
Process for handling Subject Access Requests
Privacy notices clear and accessible
Staff trained on data subject rights
Data Sharing:
Data-sharing agreements with external agencies
Information shared securely
Information-sharing decisions documented
Minimum necessary information shared

Common GDPR Mistakes (and How to Fix Them)

Mistake: Too many people have access to safeguarding records
Fix: Review permissions and limit access to those who need to know
Mistake: No retention policy—records kept indefinitely "just in case"
Fix: Create a retention schedule based on legal requirements
Mistake: Sharing information insecurely (unencrypted email, USB sticks)
Fix: Use encrypted email or secure platforms like Safeguard-Me
Mistake: No privacy notices or unclear language
Fix: Create clear, accessible privacy notices for parents, staff, and children
Mistake: Not logging information-sharing decisions
Fix: Document what you shared, with whom, why, and when

Bringing It All Together

GDPR doesn't stop you from safeguarding children—it helps you do it responsibly. By reviewing access permissions, retention policies, and data-sharing practices, you'll ensure that your safeguarding data is secure, compliant, and used appropriately.

Take Action This Week

✅ Review who has access to safeguarding records and tighten permissions
✅ Create or update your retention schedule
✅ Check that privacy notices are clear and accessible
✅ Review data-sharing practices and ensure information is shared securely
✅ Train staff on GDPR and data subject rights

Need Help?

Safeguard-Me makes GDPR compliance effortless. Our platform provides:
  • Role-based access controls so only authorised staff can view sensitive data
  • Encrypted, secure storage that meets GDPR requirements
  • Audit trails to track who accessed what and when
  • Retention tracking to help you manage data lifecycles
Start your free passport today and see how digital safeguarding can simplify GDPR compliance.
Next week, we'll explore updating digital systems to ensure secure access to safeguarding records and reports. Stay tuned!