The ICO exists to empower you through information.

Step 1: Identify the need for a DPIA

Explain broadly the nature of your online service, and the current stage of design or development. You may find it helpful to refer or link to other documents. Summarise when and how you identified the need for a DPIA.

Guidance: Before starting this DPIA, you may find it helpful to read the ICO’s guidance on DPIAs.

Standard 2 of the Children’s code requires Information Society Services* to undertake a DPIA if they are processing children’s data. Therefore, it may be useful to reference the Children’s code requirement in Step 1. See Standard 2 of the Children’s code - DPIAs:

“Undertake a DPIA to assess and mitigate risks to the rights and freedoms of children who are likely to access your service, which arise from your data processing. Take into account differing ages, capacities and development needs and ensure that your DPIA builds in compliance with this code.”

For further information, see the ICO’s guidance on what activities are considered likely to result in a high risk and need a DPIA

* An Information Society Service is defined as “any service normally provided for remuneration, at a distance, by electronic means and at the individual request of a recipient of services.” You can find more information on whether you may be in scope in the Children’s code.

The Toy Shop is a new online website selling products for children normally six years and older, supporting children’s rights to play and development. Our website is currently active. It uses a commercially available e-commerce platform.

On the website users can search for and learn about our range of products. All users have access to the toy information pages.

Our main use of personal data is to process and fulfil orders made on the website, and deal with customer enquiries. In addition, we undertake limited profiling activities using order history data and the analytics data obtained from our use of these cookies. We do this to recommend similar products to these users. We only carry out profiling for users over the age of 13 since our processing requires the user to have consented to the use of analytics cookies.

Users can sign up for generic newsletters with their email address.

This is consent-based so only available to those over 13. We also use the “soft opt-in” exception to send generic newsletters to existing customers, both children and adults. New users can sign up to the newsletter using a tick box to self-declare themselves as 13 or above. All email newsletters have an unsubscribe link and all opt-outs are actioned and respected.

Guidance: The Children’s code applies to “information society services likely to be accessed by children” in the UK. This includes many apps, programs, connected toys and devices, search engines, social media platforms, streaming services, online games, news or educational websites and websites offering other goods or services to users over the internet. It is not restricted to services specifically directed at children. You can find more information on ‘likely to be accessed’ in the code.

Market research conducted by similar websites suggests that up to a third of users of the service are likely to be children under the age of 13, about 10% will be children 13-17, with the remaining 55% likely to be adults.

Helpful hint: You might find it helpful to conduct research into the users of your service (eg user online surveys, forums), or draw on research undertaken by similar sites, commercial research companies or representative bodies.


We have identified the need for a DPIA because we will be collecting and processing children’s personal data through the platform, including contact details (eg email address), financial data, and purchasing history. This processing is included in the list published by the ICO under Article 35(4) of the UK GDPR.