insideKENT Magazine Issue 72 - March 2018 | Page 143

BUSINESS THREE THINGS YOU NEED TO KNOW IF YOU DEAL WITH CHILDREN’S DATA BY MARC FARMER, PARTNER AT WILKINS KENNEDY, MAIDSTONE THE GENERAL DATA PROTECTION REGULATION (GDPR) COMES INTO FORCE FROM 25TH MAY 2018, AND AS THE DEADLINE GETS NEARER, EVERY ORGANISATION NEEDS TO ACT NOW TO ENSURE THEY ARE WELL PREPARED. IN PARTICULAR, THE INFORMATION COMMISSIONER’S OFFICE (ICO) HAS PRIORITISED CHILDREN’S DATA, BECAUSE CHILDREN MAY BE LESS AWARE OF THE RISKS INVOLVED WHEN IT COMES TO THE COLLECTING AND PROCESSING OF THEIR PERSONAL DATA. APPROPRIATE FRAMEWORKS WILL NEED TO BE DESIGNED WITH THIS IN MIND AND COMPLIANCE WITH THE DATA PROTECTION PRINCIPLES SHOULD BE CENTRAL TO ALL PROCESSING OF CHILDREN’S PERSONAL DATA. Ranging from large companies to a humble after school club, if you have access to any database holding details of a minor, then you will need to know these three things. 1) You will need to act lawfully for the handling and processing of such data Consent is one possible lawful basis, but the current Data Protection Bill states that only children aged 13 or over are able to provide their own consent. Under that age, they must have the consent from a parent or guardian. This is not yet set in stone until the bill becomes law, but organisations should be prepared and keep themselves up to date. 2) Children have the same rights as adults over their personal data If the bill becomes law, and children aged 13 will be able to provide their own consent, then they will have the same rights as adults when it comes to personal data. That means it is important that they understand how they consent to the collecting and processing of their data. Ideally, this should be stated in clear notices for children so that they are able to understand what rights they have. 3) It is not safe to assume that automation counts as consent Local offices: Ashford: 01233 629 255 / Canterbury: 01227 454 861 Maidstone: 01622 690 666 / Orpington: 01689 827 505 Sandwich: 01304 249 997 If your organisation uses marketing that is targeted at children, you need to make sure you’re aware of the specific protection surrounding target marketing, creating personality or user profiles. Just because responses may be automated between platforms, that doesn’t necessarily count as consent. Organisations need to guard against using children’s data in ways that may have a legal or similarly significant effect on the child. As long as data controllers can show that they are taking the right steps to consider children’s privacy, they should be well placed to demonstrate their compliance with the GDPR. More information can be found online at the ICO’s website, or alternatively, contact Wilkins Kennedy at our offices in Ashford, Canterbury, Maidstone, Orpington and Sandwich to see how we can help. [email protected] www.wilkinskennedy.com wilkinskennedy wilkinskennedy 143