The ICO exists to empower you through information.

You must now act on your assessment of the impact of your online service to fulfil your data protection law obligations and turn it into practice. The children’s best interests assessment lays the groundwork for fulfilling your code and wider data protection law obligations. Once you have made your assessment, you should do the following:

  • Put your commitments into practice. Ensure you have a plan for regularly testing and reporting the effectiveness of every measure you implement. This will support and mitigate risks to children’s rights. Translate your assessment into engineering roadmaps and wider business transformation plans and success metrics. Consider approaches to promote thinking around children’s best interests at every stage of your organisation’s design cycle.
  • Translate your assessment into your DPIA, which is obligatory for all organisations in-scope of the code. You will have covered many steps within the DPIA through your best interests assessment. This includes describing your processing, identifying and assess risks, and measures to mitigate them.
  • Consult with the ICO on any areas where residual risks are high (after mitigation measures are considered). Don’t process children’s data until you have done so. This is a legal requirement under UK data protection law.
  • Think about how best to communicate risks identified to your service users. This ensures you conform with the code’s Transparency standard. This standard states that children and parents must be given accessible information. This allows them to make informed decisions about whether to provide data to your service, including the risks and benefits inherent in doing so.
  • Ensure you review your best interests assessment and DPIA. You should do this whenever you introduce new data-enabled services or product features that are likely to have a significant impact on children’s rights. It is also good practice to set regular periodic reviews to ensure your assessments are still accurate.

You should never treat a best interests assessment as a superficial tick-box exercise. It is should be one aspect of your wider commitment to risk management and accountability.  

Regulators, business partners, children and parents need to see that you are using children’s data responsibly, if you want to earn their trust. This can enhance your reputation and give you a competitive edge, helping your business to thrive and grow. To demonstrate your accountability you can do the following:

  • Publish your DPIA. Parents, civil society groups and other stakeholders will want to assure themselves you conform with the code.
  • Integrate your children’s best interests assessment into your organisation’s wider governance and risk management processes. For example, within your information risk policy, organisational and departmental risk registers, equality and rights impact assessments.
  • Develop governance processes to help staff within your organisation escalate data protection concerns about children’s data use. For example, staff forums or anonymous reporting lines.

Tools and further resources

Sample DPIAs for hypothetical online retail, gaming and connected toy scenario give you a reference point for completing your organisation’s DPIA.

Our Accountability framework provides general guidance on how to embed responsible practice in your organisation, and demonstrate your compliance with data protection law.