A key driver behind the GDPR’s approach to children’s data is to strike a balance between encouraging children to interact with creative and educational opportunities online while protecting their privacy rights.
Here is an outline checklist based on the ICO’s 51-page consultation document, “Children and the GDPR guidance”. These are essential notes for anyone offering educational services for children both on and offline, and for all organisations that market to children.
Under the GDPR you must consider the following points.
General compliance requirements
- Comply with all requirements of the GDPR, not just those relating to children
- Design your data processes from the outset with children in mind
- Use Data Protection Impact Assessments (DPIAs) to assess and mitigate any risks to children
Lawful basis for processing a child’s personal data
- If you rely on consent for processing, make sure the children understand what they are consenting to. If you offer an online service directly to children, only children aged 13 plus can provide their own consent. For children 12 years and under you need to get consent from whoever holds parental responsibility for them
- If you’re processing data that is “necessary for the performance of a contract”, you must consider the child’s ability to understand what they’re agreeing to
- When relying on “legitimate interests” as your basis for data processing, identify any risks and consequences of the processing and set up appropriate safeguards
Marketing to children
- Make sure children’s personal data isn’t used in a way that might lead to their exploitation.
- Consider sector specific guidance on marketing, such as that issued by the Advertising Standards Authority (ASA)
- Stop processing a child’s personal data if they ask you to
Automated processing of children’s data
Under the GDPR, children will now have the right not to be subject to decisions based solely on automated processing - including profiling. Exceptions to this rule apply only if suitable measures are in place to protect the rights, freedoms and legitimate interests of the child. So…
- If you automate children’s data processing, you’ll need to review this to make sure you’re compliant under the new rules.
Privacy notices for children
Privacy notices must be appropriate for the age of the child and inform them of their right to have personal data erased, particularly where processing is based on the child’s consent.
- Write your privacy notice in clear, simple language so it’s easy to understand
- Use child-friendly ways of communicating such as diagrams, cartoons, videos or icons
- Explain why you need the personal data you’ve asked for and what you plan to do with it
- Explain what rights the child has
Schools and other educational institutions that require specialist GDPR training for heads, deputies and other senior team members, can find out about Me Learning’s selection of online GDPR courses for education.