Everything you need to know about: GDPR and Children's data
Photo by Scott Graham
In this edition of ‘Everything you need to know about’ we will be looking at Children's Data: What it is? How is it separate from standard personal data?, and How can you manage it in a secure and legal manner?
Processing personal data related to children is not the same as processing standard personal data. As such, any processing will require a variety of extra steps.
The GDPR inherits the definition from The United Nations Convention on the Rights of the Child where it defines a child as "a human being below the age of 18 years unless under the law applicable to the child, majority is attained earlier".
However, if you are relying on consent as your lawful basis for processing or offering an online service directly to a child, national laws and definitions apply; e.g In the UK only children aged 13 or over are able to provide their own consent.
Why is children’s data different?
The GDPR identifies children as being ‘vulnerable data subjects’. This means that they need particular protection when you are collecting and processing their personal data as they may not be aware of the risks involved. Systems should be designed with these extra protections in place and you may need to clarify your privacy notices so that Children could understand what will happen to their personal data.
It is important to note that children have the same rights as adults do over their personal data. The Right to Erasure is especially relevant here. It has special application where an individual originally gave their consent to processing when they were a child, without being fully aware of the risks.
How can I process Children’s data?
Similar to processing standard personal data, you must identify a lawful basis before you can process children’s data. However, specific conditions apply if you want to target children with marketing or want to profit from automated decisions about them.
The GDPR states that organisations marketing to children should not exploit any lack of understanding or vulnerability. Equally, children have the same right as adults to object to you processing their personal data for direct marketing. So you must stop doing this if a child (or someone acting on their behalf) asks you to do so.
The ICO recommends that you should ‘generally avoid profiling children for marketing purposes’. You must also respect a child’s absolute right to object to profiling that is related to direct marketing and stop doing this if they ask you to.
If you are using consent as the lawful basis, you must consider national legislative requirements. Where a child is not considered to be competent (e.g. under13s in the UK) an adult with parental responsibility must provide the consent required.
How do I manage Children’s data?
You should manage the children’s data that you control in the same manner as normal personal data.
Sharing children’s personal data with third parties is permitted, but it is strongly recommended that you complete a Data Protection Impact Assessment (DPIA) before doing so. When undertaking data mapping exercises, it is also recommend that you note where children’s data could be being processed. You should also look to implement some form of age verification measures when obtaining consent for processing.
Processing children’s data shouldn't be a headache, but those processing children’s data should be aware and alive to the extra risks that it entails.
When it comes to protecting children’s data, there are also international laws (GDPR), national laws (UK Children’s Act 1989/2004) and country specific laws that must be taken into account. Back in 1989 Article 3 on the UN Convention on the Rights of the Child (UNCRC) was published. This is still relevant today.
• Keep them safe from exploitation risks, including the risks of commercial or sexual exploitation and sexual abuse.
• Protect and support their health and wellbeing.
• Protect and support their physical, psychological, and emotional development.
• Protect and support their need to develop their own views and identity.
• Protect and support their right to freedom of association and play.
• Support the needs of children with disabilities in line with your obligations under the relevant equality legislation.
• Recognise the role of parents in protecting and promoting the best interests of the child and support them in this task.
• Recognise the evolving capacity of the child to form their own view and give due weight to that view.
Follow Article 3 and children’s data is likely to be protected.
About Us: Tacita is a leading General Data Protection Regulation (GDPR) compliance specialist operating from their base in the United Kingdom. This company helps clients maintain their GDPR compliance by undertaking independent external GDPR assessments in a cost-effective manner with minimal disruption to the client. Offering clear and actionable solutions, the company offers an unbiased service ensuring their clients save time, money, and energy when it comes to their GDPR requirements. Tacita provides a three-step process, which includes assessments, recommendations and resolutions with detailed reporting and data processing, record processing and privacy policies. Full details can be found at https://www.tacita.io/