As the General Data Protection Regulation (GDPR) deadline draws nearer, businesses need to act now to ensure they are well-prepared. Latest updates from the ICO concern organisations and businesses that work with children, as GDPR will introduce new, specific legal responsibilities for organisations processing children’s data from 25 May 2018.
The ICO has prioritised children’s data, because children may be less aware of the risks involved, and therefore need particular protection during the collecting and processing of their personal data. Appropriate frameworks will need to be designed with this in mind and compliance with the data protection principles should be central to all processing of children’s personal data.
You will also need to act lawfully for the handling and processing of such data. Consent is one possible lawful basis, but the Data Protection Bill states that only children aged 13 or over are able provide their own consent. Under that age, they must have the consent from a parent or guardian. This is not yet set in stone until the Bill becomes Law, but organisations should be prepared and keep themselves up to date.
Children have the same rights as adults over their personal data, so it is important that they understand how they consent to the collecting and processing of their data. Ideally, this should be stated in clear notices for children so that they are able to understand what rights they have.
If your organisation uses marketing that is targeted at children, you need to make sure you’re aware of the specific protection surrounding target marketing, creating personality or user profiles. It is not safe to assume that just because these decisions have been automated, they have consented. Organisations need to guard against using children’s data in ways that may have a legal or similarly significant effect on the child.
As long as data controllers can show that they are taking the right steps to consider children’s privacy, they should be well placed to demonstrate their compliance with the GDPR. More information can be found here, or alternatively, contact Wilkins Kennedy to see how we can help.