Guide to Process Children's Personal Data Under GDPR

Slide Note
Embed
Share

Explore steps such as reading guides, conducting an information audit, identifying risks, and understanding lawful bases for processing children's personal data under GDPR. Consider Data Protection Impact Assessments and lawful bases like consent, contract performance, legal obligations, vital interests, public tasks, and legitimate interests.


Uploaded on Nov 14, 2024 | 0 Views


Download Presentation

Please find below an Image/Link to download the presentation.

The content on the website is provided AS IS for your information and personal use only. It may not be sold, licensed, or shared on other websites without obtaining consent from the author. Download presentation by click this link. If you encounter any issues during the download, it is possible that the publisher has removed the file from their server.

E N D

Presentation Transcript


  1. Preparing for the GDPR - What do we need to do if we process children s personal data? Data Protection Practitioners Conference 2018 #DPPC2018

  2. Step 1 Read our Guide to the GDPR and our draft guidance on Children and the GDPR. Browse a copy in our reading area, or download from our website Data Protection Practitioners Conference 2018 #DPPC2018

  3. Step 2 Do an information audit Work out what personal data you hold about children, what you do with it and why Data Protection Practitioners Conference 2018 #DPPC2018

  4. Step 3 Identify what risks to the child might arise from your processing and think about how you can mitigate them. Data Protection Practitioners Conference 2018 #DPPC2018

  5. Consider doing a Data Protection Impact Assessment to help you assess this - This is always a good idea and if your processing is high risk then it s a requirement of the GDPR. A DPIA is particularly important when you are providing online services for children, profiling them, making automated decisions about them, or targeting them with marketing. Data Protection Practitioners Conference 2018 #DPPC2018

  6. For more information about what you need to consider in these scenarios browse or download our draft guidance on Children and the GDPR. For more information about Data Protection Impact Assessments go to our DPIA drop-in session or download our Guide to the GDPR. Data Protection Practitioners Conference 2018 #DPPC2018

  7. Step 4 Have a look at the lawful bases for processing set out at Article 6 of the GDPR. You will need to have an Article 6 lawful basis for processing for everything that you do with children s personal data. Data Protection Practitioners Conference 2018 #DPPC2018

  8. The 6 available bases are: Consent Necessary for the performance of a contract Compliance with a legal obligation Necessary to protect the vital interests of a natural person Public task Legitimate interests Data Protection Practitioners Conference 2018 #DPPC2018

  9. If you are a Public Authority then much of what you do will probably be linked to your official or public tasks and legitimate interests is unlikely to be an option for you. If you are a private organisation then legitimate interests may well be appropriate. Data Protection Practitioners Conference 2018 #DPPC2018

  10. Consent provides a basis for processing but dont assume it is the best or the only option other bases for processing are often more appropriate. If you provide online services to children on the basis of consent, the GDPR has some specific requirements about parental consent. To find out more browse or download our draft guidance on Children and the GDPR. Remember that consent isn t your only option though, even in an online context. Data Protection Practitioners Conference 2018 #DPPC2018

  11. For more information about identifying an appropriate basis for processing go to our Lawful Basis drop-in session or download our Guide to the GDPR. For more information about how the lawful bases might apply to children s personal data browse or download our draft guidance on Children and the GDPR. Data Protection Practitioners Conference 2018 #DPPC2018

  12. Step 5 If you are processing special categories of personal data , such as health data or biometric data then have a look at Article 9 of the GDPR and Schedule 1 of the Data Protection Bill. As well as having an Article 6 basis for processing you will need to satisfy an Article 9 condition to process special categories of children s personal data. Data Protection Practitioners Conference 2018 #DPPC2018

  13. Schedule 1 to the Data Protection Bill lists some circumstances in which Article 9 will provide a condition for processing in the UK. Most of these are quite specific and relate to particular processing scenarios. For example, one of them relates specifically to safeguarding children. Remember that the Data Protection Bill is still going through Parliament and isn t finalised yet, so if you identify a relevant Schedule 1 condition you will need to keep an eye on the wording in the Bill in case it changes. Data Protection Practitioners Conference 2018 #DPPC2018

  14. For more information about conditions for processing special categories of personal data browse or download our Guide to the GDPR. For more information about the Data Protection Bill download our Introduction to the Data Protection Bill. Data Protection Practitioners Conference 2018 #DPPC2018

  15. Step 6 Think about whether your processing is fair and have a look at the data protection principles in Article 5 of the GDPR. These principles should lie at the heart of all your processing of children s personal data. Data Protection Practitioners Conference 2018 #DPPC2018

  16. They cover matters such as keeping personal data secure, only collecting the minimum amount of personal data you need, and not keeping data for too long. For more information about the data protection principles browse or download a copy of our Guide to the GDPR. Data Protection Practitioners Conference 2018 #DPPC2018

  17. Step 7 Review the privacy information that you give to data subjects and make sure it is suitable for your intended audience. If you are addressing children directly then you should present the information in a child friendly way so that they will understand what you are telling them. Consider using diagrams, cartoons, graphics, videos or other ways of presenting information that are likely to appeal to children. Data Protection Practitioners Conference 2018 #DPPC2018

  18. In an online context consider using dashboards, icons, symbols and layered or just-in-time notices. Make sure that you provide all the information you need to - the specific GDPR requirements are set out in Articles 13 and 14. For further information browse or download our Guide to the GDPR, our draft guidance on Children and the GDPR or download our Privacy Notices Code of Practice. Data Protection Practitioners Conference 2018 #DPPC2018

  19. Step 8 Think about how you will help children to exercise their data protection rights. Children have the same rights over their personal data that adults do. These include the right to be given a copy of their personal data (subject access), the right to have their personal data erased and the right to object to processing. Data Protection Practitioners Conference 2018 #DPPC2018

  20. If you process childrens personal data then you need to make sure that your systems and processes for exercising these rights are easy for children to access and understand. In an online context you should consider the use of take down tools and the like. You also need to think about if and when you will allow parents to exercise data protection rights on behalf of their children, and when this won t be appropriate. For further information browse or download or Guide to the GDPR and draft guidance on Children and the GDPR Data Protection Practitioners Conference 2018 #DPPC2018

  21. Step 9 Think about how you will demonstrate your compliance with the GDPR. The same accountability requirements will apply when you are processing children s personal data as when you are processing an adult s personal data. These include requirements about when to appoint a Data Protection Officer and keeping records of processing activities. For further information about accountability and governance under the GDPR browse or download our Guide to the GDPR. Data Protection Practitioners Conference 2018 #DPPC2018

  22. Step 10 Think about whether you will be using a data processor or transferring children s personal data outside of the EU. There are specific requirements in the GDPR which apply when you ask someone else to process data on your behalf or when you transfer personal data outside the EU. Although these are not child specific requirements you will still need make sure you meet them if you process children s personal data in this way. Data Protection Practitioners Conference 2018 #DPPC2018

  23. Step 11 Put procedures in place to keep your processing under review and to deal with any problems that arise. Make sure that your security and compliance measures keep pace with new developments and changing technology, particularly in relation to age verification or parental consent verification solutions. Data Protection Practitioners Conference 2018 #DPPC2018

  24. Think about any changes you may need to make as the child get older or becomes an adult. For example parental consent may be replaced by the data subjects own consent. Put in place procedures to ensure you recognise and deal with any personal data breaches that may occur. For further information browse or download our Guide to the GDPR and our draft guidance on Children and the GDPR. Data Protection Practitioners Conference 2018 #DPPC2018

Related


More Related Content