January 15, 2018

The ICO has published draft guidance on children and the GDPR and is seeking comments.

Once it has considered the responses, the ICO says that it will produce final guidance. In the meantime, this draft is aimed at providing some clarity and certainty for organisations. Even if some details are yet to be confirmed, the ICO says that the principles are likely to remain largely unchanged.

While the ICO wants as many people and organisations as possible to respond to the consultation, it also wants to stress that organisations need to be working towards compliance now.

The ICO says that data controllers that follow the advice in this guidance and can show that they have given proper consideration to children’s privacy should be well placed to demonstrate their compliance with the GDPR. Data Protection Impact Assessments (DPIAs) and audit trails of decision-making will help in this respect.

There will, however, be “no excuses for those that don’t”, the ICO warns.

Fairness, transparency and accountability are essential for all data processing, but this is especially relevant when children are accessing online services, the ICO says. Anyone offering online services to children will have to ensure that they are addressed in plain, clear language that they can understand.

The ICO reminds readers that under the GDPR there are new rules concerning areas such as automated decision-making, the right to erasure, and consent. Between now and May, organisations offering online services to children will need to review their existing processing, to clarify under what lawful bases they will process data in the future and to make sure they meet the relevant requirements. If they are providing online services to children and are relying on the basis of consent, they will need to take action now to get valid consent in place before May.

This does not mean consent will always be required, the ICO explains. Organisations may be relying on a different basis for processing (such as legitimate interests) and it may be that a different basis is better for both the data controller and the child.

Children’s information rights are also likely to be given added protection in the Government’s Data Protection Bill, currently proceeding through Parliament and which will complement the GDPR.

A new amendment will commit the ICO to produce a code of practice for data controllers on age-appropriate website design. While there are still some issues of detail to work out, it is a measure the ICO supports “whole-heartedly”, particularly as it furthers the concept of data protection by design, which is a key feature of GDPR.

The deadline for responding to the consultation is 28 February 2018. To access the draft guidance and the consultation, click here.