A blog by Michael Murray, ICO’s Head of Regulatory Strategy.
27 May 2021
Our new blog series is one of the ways we’re supporting organisations to comply with the Children’s Code. Over the coming months, we will provide a detailed explanation of the 15 standards set out in the code, giving practical advice and exploring some of the more nuanced aspects.
This series is aimed at organisations that are already familiar with the code and the UK General Data Protection Regulation (UK GDPR). If you’re new to the code and think you may be impacted by it, our online hub dedicated to the Children’s Code is a good place to start.
This first blog will explore the Data Protection Impact Assessments (DPIAs) standard.
What is a DPIA and what’s in it for me?
All organisations in the scope of the Children’s Code are obligated to complete a DPIA. So, if you run an online service that’s likely to be accessed by children, you must complete one. Not only is undertaking a DPIA one of the standards laid out in the Children’s Code, it is also a key part of organisations’ accountability obligations under the UK GDPR.
A DPIA is a process to help you assess and mitigate the data protection risks of your service to the rights of children who are likely to access it. DPIAs are a powerful tool used from concept stage to deployment and beyond.
In the context of the code, it is the vehicle through which to assess whether your services are designed to support the best interests of children.
A DPIA will help you draw out and document the questions you need to answer in order to conform with the Children’s Code. It will also help you identify risks and design appropriate changes to mitigate them and conform with the code. This is privacy-by-design.
It can also bring cost savings and broader benefits for both children and your organisation. It reassures parents that you protect their children’s interests, builds trust in the way you’re dealing with children’s personal data and your service is appropriate for children to use.
The consultation phase of a DPIA can also give children and parents the chance to have a say in how their data is used, help you build trust, and improve your understanding of child-specific needs, concerns and expectations. It may also help you avoid reputational damage later on.
What should I do as part of a DPIA?
Steps you should consider taking include:
Describing the processing of personal data you plan to do, including matters such as the age range of children likely to access the service, plans for any parental controls and the use of any nudge techniques.
- Consulting with children and parents – we will expect larger organisations to do this in most cases. If you consider that it is not possible to do any form of consultation, or it is unnecessary or wholly disproportionate, you should record that decision in your DPIA, and be prepared to justify it to us.
- Assessing necessity, proportionality and conformance, including how you conform to each of the standards in the Children’s Code.
- Assessing how your processing impacts on the best interests of child users, as defined by their rights under the UN Convention on the Rights of the Child. Here you should identify, assess and mitigate risks, such as the potential impact on children and any harm or damage your data processing may cause – whether physical, emotional, developmental or material. If you identify a high risk that you are not mitigating, you must consult the ICO. We are developing guidance to support organisations identify and assess data-related risks to children, building on the beta Children’s Code Harms Framework that we’ve already published.
It is good practice to publish your DPIA. As well as demonstrating compliance, publication can help build trust and confidence in your service.
When should I do a DPIA?
If you haven’t already done so, you should be completing a DPIA on your existing or legacy services, to help you understand if you need to make any changes to conform to the code. You should also use a DPIA during the early design of any new services, before you start processing any personal data. Undertaking a DPIA is a flexible and scalable process.
The ICO will be producing some DPIA examples before the end of the code transition period to support you, and will update this blog when they are available. In the meantime, you can use or adapt this template if you wish.
There’s more detail on what needs to be included within a DPIA in our dedicated guidance.
Working through a DPIA will stand you in good stead with preparation for compliance with the other 14 Children’s Code standards as a real cornerstone of data protection law.
Our next blog post will focus on the best interests of the child and detrimental use of children’s data.
Michael Murray is the Head of Regulatory Strategy at the ICO.