Joe Torre, apprentice solicitor at Muckle LLP, unravels the new rules on children's data with some straightforward advice for businesses.
In under three months the biggest change in data protection law for 20 years will arrive. The importance of protecting children and their personal data is mentioned several times throughout the GDPR, yet the guidance on processing children’s data isn’t so clear.
Actually, the changes involve a lot of common sense, but if you’re struggling to fathom the new legislation surrounding children, here are some key things businesses should know.
You need a lawful basis’ to possess a child’s data
Under the GDPR, you must have a legal basis to process all data, including a child’s personal data. While consent is a basis, due to the inherent vulnerability of children, it’s harder to prove whether this consent is freely given and it’s advisable in some circumstances to rely on another legal basis.
-If your business offers information society services’ (online services basically) for children, then you must obtain parental consent from any child under 13 if you wish to process their personal data (unless you offer a counselling or preventative service).
-If a child is 13 or older you will need their consent, or their parents’ consent if they are not deemed to competently understand their data protection rights and are unable to give consent freely.
13 is the age when a child becomes an adult for UK data protection purposes, as currently proposed in the Data Protection Bill, subject to approval. If you process data across Europe the age varies from 13 to 16 depending on the country. Businesses must be able to verify that the person giving consent is either old enough, or has parental responsibility for the child.
In some circumstances it may be more suitable to rely on a different lawful basis.
Examples are: 1.Necessary for the performance of a contract.’ Companies should ensure that the child in question is competent enough to understand what he or she is agreeing to and can enter into a contract.
2. Legitimate interests’ to process a child’s personal data. When relying upon this, you must state what those legitimate interests are and ensure that relevant and appropriate measures are in place. In addition, it’s also crucial to align your interests with the interests of the child, and make sure there is a suitable balance.
Privacy policies must be child’s play
If you offer services to children, your privacy policies must be written in child-friendly language, making sure the child knows their rights and understands how their personal data will be processed.
It’s also good practice to run your privacy policies past some children first, so that you can say in confidence that you believe your policy documents are child friendly.
Marketing to children
If your business markets to children it is so important that it recognises the sensitive nature of its audience. Businesses need to understand that children are less able to comprehend the purpose of marketing.
It’s best to consult with regulating bodies such as the Advertising Standards Authority, to make sure that children will not inadvertently be exploited by the marketing you’re planning.
In the case of direct marketing, children have the same rights as everyone else, you must stop if they ask you to. Profiling or making decisions about children using solely automated means should be avoided or you should seek specialist advice if this is your intention.
Handling children’s personal data correctly is a crucial. After all, whose data is more vulnerable than a young person’s?
The point that we reiterate here at Muckle is that, although preparing for the GDPR can look like hard work at first, dig a little deeper and it actually presents an ideal opportunity for your business to re-educate staff and improve your internal operations.