The ICO exists to empower you through information.

Data protection impact assessments (DPIAs)

Share Download options

Pages

Format

Control measure: The requirement for a DPIA is documented and online service developers are provided with clear guidance on the assessment criteria.

Risk: If there is no documented DPIA process, the development of the service and the risks to children’s privacy may not be assessed. This may breach article 35 of the UK GDPR. 

Ways to meet our expectations:

  • Reference DPIA requirements in all main project and change management policies and procedures.
  • Introduce a screening checklist to help you consider whether the processing falls within the scope of the code and is therefore likely to result in a high risk to the rights and freedoms of children. 
  • Document the DPIA process, provide staff with training on the application of the process and review it periodically to ensure it remains up-to-date.

Options to consider:

  • Have checkpoints within product design templates to prompt for an assessment of privacy risks at each key design phase.

 

Control measure: DPIAs are undertaken before carrying out any new types of processing that are likely to result in a high risk to children's rights and freedoms. DPIAs cover the nature, scope, context and purposes of the processing.

Risk: If DPIAs are not carried out before high risk processing, then the organisation may breach UK GDPR article 35.

Ways to meet our expectations:

  • Clearly structure DPIAs and take a layered approach, adding technical detail where appropriate.
  • Ensure DPIAs:
    • describe the nature, scope, context and purposes of the processing in detail;
    • clearly consider and document the appropriate lawful basis and article 9 condition for processing;
    • clearly set out the relationships and information flows between controllers, processors, people and systems; 
    • consider the transparency of the processing and how to make children aware of their rights;
    • outline how the information is collected, stored, accessed and who it is shared with;
    • include information about measures to ensure accuracy, avoid bias and where relevant, explain the use of AI;
    • provide specific details of technological security measures;
    • consider whether the service can be delivered by less intrusive means or using minimal personal information; and
    • address how each of the standards within the code are addressed.
  • Include an assessment of the online service for:
    • physical harm; 
    • online grooming or other sexual exploitation; 
    • social anxiety, self-esteem issues, bullying or peer pressure; 
    • access to harmful or inappropriate content; 
    • misinformation or undue restriction on information; 
    • encouraging excessive risk-taking or unhealthy behaviour;
    • undermining parental authority or responsibility; 
    • loss of autonomy or rights (including control over information); 
    • compulsive use or attention deficit disorders; 
    • excessive screen time; 
    • interrupted or inadequate sleep patterns; 
    • economic exploitation or unfair commercial pressure; or 
    • any other significant economic, social or developmental disadvantage.
  • Ensure DPIAs identify measures to eliminate or reduce all risks.
  • Record the advice and recommendations of the DPO in DPIAs and ensure they have been signed off by the appropriate people.
  • Carry out a consultation or fully document why this isn’t possible, is unnecessary, or disproportionate.
  • Establish a clear link between the DPIA and design processes, including details on how to prevent function creep.
  • Review DPIAs on a regular basis, particularly if you change or update service functionality or use.

Options to consider:

  • Have a standard DPIA template.
  • Keep a log of all DPIAs which includes a 'last review' date.
  • Consult with children and parents as part of the assessment, for example by:
    • seeking feedback from existing users;
    • conducting a general public consultation;
    • using market research;
    • trialling through user testing; or 
    • speaking with relevant children’s rights groups.
  • Seek independent advice from experts in children’s development needs and rights.

 

Control measure: The outputs of a DPIA are acted on to effectively mitigate or manage any risks identified.

Risk: If processing takes place before a DPIA, or before mitigating controls are put in place, then there is a risk of processing information without risk assessment or control which has harmful impacts on children. This may breach article 35 and 5 (1) (a) of the UK GDPR.

Ways to meet our expectations:

  • Act on the outputs of your DPIA to effectively mitigate or manage any risks identified.
  • Include a stage in the project or product management process to confirm that mitigating controls are in place.
  • Retain evidence to confirm that you did not start processing until you implemented mitigating controls.
  • Incorporate DPIAs into the project plan or project risk register.
  • Refer the DPIA to the ICO for review, if the residual risk is high and you cannot mitigate it further.

Options to consider:

  • Produce and circulate a report to summarise the outputs of your DPIA for both internal stakeholders and the public.
  • Publish your DPIA report on your website.