insideKENT Magazine Issue 72 - March 2018 | Page 143
BUSINESS
THREE THINGS
YOU NEED TO
KNOW IF YOU
DEAL WITH
CHILDREN’S DATA
BY MARC FARMER, PARTNER AT WILKINS KENNEDY, MAIDSTONE
THE GENERAL DATA PROTECTION REGULATION (GDPR) COMES INTO
FORCE FROM 25TH MAY 2018, AND AS THE DEADLINE GETS NEARER,
EVERY ORGANISATION NEEDS TO ACT NOW TO ENSURE THEY ARE WELL
PREPARED. IN PARTICULAR, THE INFORMATION COMMISSIONER’S OFFICE
(ICO) HAS PRIORITISED CHILDREN’S DATA, BECAUSE CHILDREN MAY BE
LESS AWARE OF THE RISKS INVOLVED WHEN IT COMES TO THE
COLLECTING AND PROCESSING OF THEIR PERSONAL DATA. APPROPRIATE
FRAMEWORKS WILL NEED TO BE DESIGNED WITH THIS IN MIND AND
COMPLIANCE WITH THE DATA PROTECTION PRINCIPLES SHOULD BE
CENTRAL TO ALL PROCESSING OF CHILDREN’S PERSONAL DATA.
Ranging from large companies to a humble
after school club, if you have access to any
database holding details of a minor, then you
will need to know these three things.
1) You will need to act lawfully for the
handling and processing of such data
Consent is one possible lawful basis, but the
current Data Protection Bill states that only
children aged 13 or over are able to provide
their own consent. Under that age, they must
have the consent from a parent or guardian.
This is not yet set in stone until the bill
becomes law, but organisations should be
prepared and keep themselves up to date.
2) Children have the same rights as adults
over their personal data
If the bill becomes law, and children aged 13
will be able to provide their own consent, then
they will have the same rights as adults when
it comes to personal data. That means it is
important that they understand how they
consent to the collecting and processing of
their data. Ideally, this should be stated in clear
notices for children so that they are able to
understand what rights they have.
3) It is not safe to assume that automation
counts as consent
Local offices:
Ashford: 01233 629 255 / Canterbury: 01227 454 861
Maidstone: 01622 690 666 / Orpington: 01689 827 505
Sandwich: 01304 249 997
If your organisation uses marketing that is
targeted at children, you need to make sure
you’re aware of the specific protection
surrounding target marketing, creating
personality or user profiles. Just because
responses may be automated between
platforms, that doesn’t necessarily count as
consent. Organisations need to guard against
using children’s data in ways that may have a
legal or similarly significant effect on the child.
As long as data controllers can show that they
are taking the right steps to consider children’s
privacy, they should be well placed to
demonstrate their compliance with the GDPR.
More information can be found online at the
ICO’s website, or alternatively, contact Wilkins
Kennedy at our offices in Ashford, Canterbury,
Maidstone, Orpington and Sandwich to see
how we can help.
[email protected]
www.wilkinskennedy.com
wilkinskennedy
wilkinskennedy
143