Skip to main content

Sample Data protection impact assessment: Online retail

Contents

This document is intended as an example of good practice to help small to medium sized enterprises operating an online retail service. It will help you to understand and apply the ICO’s Children code, formally known as the Age appropriate design code. It specifically applies to Standard 2 of the code, which relates to the need for Data Protection Impact Assessments (DPIAs) for Information Society Services (ISS) likely to be accessed by children (under age 18) in the UK. Before starting to review the DPIA sample, you might find it helpful to read the code standards.

The service outlined in this sample is imaginary, and is not intended to represent an actual online retailer.

This sample DPIA is adapted from the ICO’s DPIA template, and follows the process set out in our DPIA guidance and the code. You should read it alongside the code’s DPIA guidance, and the Criteria for an acceptable DPIA set out in European guidelines.

Standard one of the Children’s code requires ISS treat the best interests of the child as a primary consideration in their processing of children’s data. Assessing children’s best interests is an important part of the DPIA process. The ICO’s best interest self-assessment can help you with this.

The ICO’s design guidance has tools that can help you apply some of the standards in practice, in order to create an open, transparent and safe place for children online.

We welcome recommendations for improvements or other feedback. Please email your comments to [email protected].

Name of controller: The Toy Shop
Subject/title of DPIA: Online toyshop