Step 1: Identify the need for a DPIA
Explain broadly the nature of your online service, and the current stage of design or development. You may find it helpful to refer or link to other documents. Summarise when and how you identified the need for a DPIA.
Guidance: Standard 2 of the Children’s code requires Information Society Services (ISS)* to undertake a DPIA if they are processing children’s data. Therefore, it may be useful to reference the Children’s code requirement in step 1. See Standard 2 of the Children’s code - DPIAs:
“Undertake a DPIA to assess and mitigate risks to the rights and freedoms of children who are likely to access your service, which arise from your data processing. Take into account differing ages, capacities and development needs and ensure that your DPIA builds in compliance with this code.
*An Information Society Service is defined as “any services normally provided for remuneration, at a distance, by electronic means and at the individual request of a recipient of services.” You can see the Services covered by this code for more information on whether you may be in scope of the Children’s code.
We are launching a mobile app game called Cooking Numbers aimed at children between the ages of five and eight. It has a PEGI rating of three meaning that it is suitable for all age groups. It will be available from the iOS App Store, Android App Store and Amazon App Store in English, French, Italian, German and Spanish. The game is monetised through a combination of in-app purchases, advertisements and subscription.
Development of the game is complete. We will be launching the game on platforms within six weeks.
No personal data is captured by this game, however we have drafted this DPIA to explain:
- how game play data is used to support monetisation;
- how data is anonymised to ensure no personal data is retained;
- why the game is not collecting personal data; and
- the wider ecosystem (eg app stores) may be collecting personal data that is not shared with us.
Helpful hint: You can see the ICO’s guidance on what activities are considered likely to result in a high risk and need a DPIA. You should also review the Children’s code harms framework. The framework is a flexible tool for identifying data-related risks to children that you need to consider when completing your DPIA. Its aim is to support online services to place children’s best interests at the heart of their services.