• ISO55001 Asset Management
    System (AMS)
  • ISO9001 Quality Management
    Systems (QMS)
  • ISO14001 Environmental Management
    Systems (EMS)
  • ISO50001 Energy Management
    Systems (EnMS)
  • ISO45001 Health & Safety Management
    Systems (OHASMS)
  • ISO27001 Information security
    management systems (ISMS)

How Will the GDPR Affect Children’s Data Processing?

21 Feb 2018

“The GDPR identifies children as ‘vulnerable individuals’ deserving of ‘specific attention’…”

The GDPR will bring in special protection for children’s personal data, particularly where it is used for information services such as online shopping, live or on-demand streaming services and for social networking.  The GDPR identifies children as ‘vulnerable individuals’ deserving of ‘specific attention’, explaining that this is because children ‘may be less aware of the risks, consequences and safeguards’ of handing over their personal data.  The regulation says that this is particularly the case when services are offered directly to a child and when their personal data is used for marketing and creating online profiles. If your company processes children’s personal data, here are the changes that will affect you:

Age of consent

“…the person with parental responsibility must give their consent for a child under 16 to share their personal data.”

Under the current Data Protection Act, a child of any age can give their personal data away online without parental consent.  This will change under the GDPR, which defines the age of consent as 16.  The GDPR states that the person with parental responsibility must give their consent for a child under 16 to share their personal data.  Data controllers are required to make ‘reasonable efforts’ to verify parental consent.

NOTE: Recital 38 states that parental consent is not required for counselling services offered directly to a child.

Member states may choose to change the age of consent from 16.  The UK government is planning to lower the age of consent to 13.  This won’t have too much impact on children’s social networking because children under 13 are already excluded from social networking sites such as Facebook and Snapchat.  However, under the new regulation organisations are likely to have to verify the ages of their subscribers, which they don’t have to do presently.  For services aimed at under-13s, organisations will have to prove that they have received parental authorisations.

Privacy notices

“Privacy notices for children must be…concise, transparent and in plain language.”

Privacy notices for children must be as transparent as those written for adults – the GDPR’s Article 12 says the information provided to data subjects must be concise, transparent and in plain language. Just like adults, children must know the identity of the data controller and how their personal data will be processed. They must also be made aware that they can withdraw their consent to data processing at any time (see the previous blog post ‘What will consent mean under the GDPR?’ for more information).  When writing privacy notices aimed at children, data controllers must take account of the specific age group of their audience so that they write in clear language that the child can easily understand.

Can you justify processing children’s data under GDPR rules?

“…the rights and freedoms of a data subject are more likely to override the legitimate interests of the data controller or third party when the data subject is a child.”

GDPR Article 6 (1) (f) says that the rights and freedoms of a data subject are more likely to override the legitimate interests of the data controller or third party when the data subject is a child.  Data controllers must make sure they have documentation to show that they have carefully considered this.  When we look at the GDPR definitions of ‘legitimate interests’, we can see that processing children’s data is unlikely to be necessary for most of these purposes.

Legitimate interests include:

  • processing for direct marketing purposes or preventing fraud – Recital 47
  • transmission of personal data within a group of undertakings for internal administrative purposes, including client and employee – Recital 48
  • processing to the extent strictly necessary for the purposes of ensuring network and information security, including preventing unauthorised access to electronic communications networks and stopping damage to computer and electronic communication systems – Recital 49
  • reporting possible criminal acts or threats to public security to a competent authority – Recital 50.

Codes of conduct

“It’s important to be on the alert for new codes of conduct as they might impose additional requirements on data controllers.”

GDPR Article 40 requires member states to create their own codes of conduct. This includes safeguarding children’s data, specifically the way in which consent is gained and documented.  It’s important to be on the alert for new codes of conduct as they might impose additional requirements on data controllers.

How can my organisation plan for changes?

Start by ensuring that:

  • you watch for the publication of codes of conduct that might impact your data processing
  • you implement appropriate parental consent mechanisms, including verification processes
  • where you offer services directly to a child, the notices are written in child-friendly language
  • any reliance on ‘legitimate interests’ to process children’s data is supported by carefully documented evidence to show that the child’s interests don’t override those of your organisation

ISO 50001 audit tool
© Copyright All Rights Reserved, NDC Certification Bureau Ltd. 2021