The ICO exists to empower you through information.

This self-assessment risk tool has been created with medium to large private, public and third sector organisations in mind. This tool will help you conduct your own risk assessment of how both the UK General Data Protection Regulation and the Children's code applies in the context of your digital service and give you practical steps for you to apply a proportionate and risk-based approach to ensuring children’s protection and privacy.                    

How to use the self-assessment risk tool

  1. After identifying the risk in your user journey map, you should take all reasonable mitigation measures to ensure they are as low as practically possible. Where there are opportunities to proactively support children’s rights, you should think about how to realise them.
  2. Once you have identified the risk mitigation measures you will implement, you should make a final assessment of the level of “residual risk” to children that remains after you have done so.
  3. After that, you should balance the residual risks to children’s rights against the benefits to them (for each individual element of the service, not as whole). You can then make your overall assessment about whether you are acting in the best interests of children.

Explore the next step

Step 4: Prioritise actions

Create an action plan for risk areas highlighted in your risk assessment.