The UK’s independent authority set up to uphold information rights in the public interest, promoting openness by public bodies and data privacy for individuals.

This document is intended as an example of good practice to help companies creating connected toys for use by children in the UK. It will help you to understand and apply the ICO’s Children’s code, formally known as the Age-appropriate design code. It specifically applies to Standard 2 of the code, which relates to the need for Data Protection Impact Assessments (DPIAs) for Information Society Services (ISS) likely to be accessed by children (under age 18) in the UK, and Standard 14: Connected toys and tablets. Before starting to review the DPIA sample, you might find it helpful to read the two standards mentioned above.

The ICO has worked with a connected toy manufacturer to produce the sample, and with the law firm DLA Piper to draft the text for the DPIA. The product used in this sample is imaginary, and is not intended to represent an actual product.

This sample DPIA is adapted from the ICO’s DPIA template, and follows the process set out in our DPIA guidance and the code. You should read it alongside the code and DPIA guidance, and the Criteria for an acceptable DPIA set out in European guidelines.

The sample DPIA below is a beta version, and is still being reviewed by the ICO for further development. We welcome recommendations for improvements or other feedback. Please email your comments to

Name of controller: The Toy Company
Subject/title of DPIA: Connected toy