Preparing for the GDPR - What do we need to do if we process children’s personal data? Data Protection Practitioners’ Conference 2018 #DPPC2018.

Slides:



Advertisements
Similar presentations
Data Protection Paul Veysey & Bethan Walsh. Introduction Data Protection is about protecting people by responsibly managing their data in ways they expect.
Advertisements

Can you share? Yes you can!! Angus Council Adult Protection Maureen H Falconer, Senior Policy Officer Information Commissioner’s Office.
The EU General Data Protection Regulation Frank Rankin.
General Data Protection Regulation (EU 2016/679)
GDPR 12 POINTS 679/2016 DATA LEX 2016.
Tony Sheppard Mobile Guardian
Presentation to GTMC on GDPR
General Data Protection Regulation (GDPR)
GDPR Awareness and Training Workshop
General Data Protection Regulation
General Data Protection Regulations Preparing for the upcoming changes in data protection law David Jones & Angharad Williams.
Museums + Heritage webinar, 30 November 2017
The EU General Data Protection Regulation (GDPR)
GDPR Overview Gydeline – October 2017
Data Protection Update – GDPR or bust
GDPR Overview GDPR - General Data Protection Regulations
GDPR support January GDPR support January 2018.
GDPR Overview Gydeline – October 2017
The European Union General Data Protection Regulation (GDPR)
Nina Barakzai November 2017
Data protection reform:
GDPR Road map to Compliance.
Data Protection & Freedom of Information- An Introduction
General Data Protection Regulation (GDPR)
Welcome to the Children’s Privacy GDPR Drop In
Public Sector Organisations - are you GDPR ready?
GENERAL DATA PROTECTION REGULATION (GDPR)
General Data Protection Regulations
Data Protection Reform in Local Government
GDPR - New Data Protection Regulation
General Data Protection Regulation
Introduction to GDPR 09/11/2018.
Reporting personal data breaches to the ICO
General Data Protection Regulation (GDPR)
Sue Cawthray, CEO/ Gill Thrush, Catering Manager
GDPR and Health and Safety
Data protection reform – update from the ICO
State of the privacy union
Appropriate Data Sharing in Health and Social Care
G.D.P.R General Data Protection Regulations
The GDPR & Schools - An Introduction -
GDPR – Practical Implementation Managing contracts, procurement and relationships with suppliers Terry Brewer Chief Executive.
Data Protection Impact Assessments Drop-in advice session
General Data Protection Regulation
The National Working Group
Data Protection What’s new about The General Data Protection Regulation (GDPR) May 2018? Call Kerry on Or .
General Data Protection Regulation (GDPR)
How we’ll prepare for the General Data Protection Regulation (GDPR)
Early Years Providers Data Protection Seminar
Data Protection Impact Assessments How do we carry out a DPIA?
IMPLICATIONS OF GDPR ROBERT BELL.
Welcome!.
Data transfers to non-EU countries under the new GDPR
 How does GDPR impact your business? Pro Tip: Pro Tip: Pro Tip:
GDPR Quiz Today’s trainer: Click here to use Kahoot! 1
Information Handling Research Student Induction Day
GDPR Consent Data Protection Practitioners’ Conference 2018 #DPPC2018.
GDPR PERSONDATAFORORDNINGEN I PRAKSIS
Overview of the recommendations regarding approximation of the Law on personal data protection to the new EU General data protection regulation Valerija.
Data Protection for SDS Employers Alison Johnston Lead Policy Officer (Scotland) Information Commissioner’s Office.
Dr Elizabeth Lomas The General Data Protection Regulation (GDPR): Changing the data protection landscape Dr Elizabeth Lomas
Session 4: Data Mapping and Data Subject Rights
Why are we processing data
The General Data Protection Regulations 2016
Session 4: Data Mapping and Data Subject Rights
“Seven-minute Staff Meeting”
GDPR Session
Is your medico-legal practice GDPR compliant?
GDPR – One Year On School Business Managers Forum 4 July 2019
GDPR Workshop – Partnerships for Jewish Schools
Presentation transcript:

Preparing for the GDPR - What do we need to do if we process children’s personal data? Data Protection Practitioners’ Conference 2018 #DPPC2018

Step 1 Read our Guide to the GDPR and our draft guidance on Children and the GDPR. Browse a copy in our reading area, or download from our website Data Protection Practitioners’ Conference 2018 #DPPC2018

#DPPC2018 Step 2 Do an information audit   Work out what personal data you hold about children, what you do with it and why Data Protection Practitioners’ Conference 2018 #DPPC2018

Step 3 Identify what risks to the child might arise from your processing and think about how you can mitigate them.   Data Protection Practitioners’ Conference 2018 #DPPC2018

Consider doing a Data Protection Impact Assessment to help you assess this - This is always a good idea and if your processing is ‘high risk’ then it’s a requirement of the GDPR. A DPIA is particularly important when you are providing online services for children, profiling them, making automated decisions about them, or targeting them with marketing. Data Protection Practitioners’ Conference 2018 #DPPC2018

For more information about what you need to consider in these scenarios browse or download our draft guidance on Children and the GDPR. For more information about Data Protection Impact Assessments go to our DPIA drop-in session or download our Guide to the GDPR. Data Protection Practitioners’ Conference 2018 #DPPC2018

Step 4 Have a look at the lawful bases for processing set out at Article 6 of the GDPR.   You will need to have an Article 6 lawful basis for processing for everything that you do with children’s personal data. Data Protection Practitioners’ Conference 2018 #DPPC2018

#DPPC2018 The 6 available bases are: Consent   Consent Necessary for the performance of a contract Compliance with a legal obligation Necessary to protect the vital interests of a natural person Public task Legitimate interests Data Protection Practitioners’ Conference 2018 #DPPC2018

If you are a Public Authority then much of what you do will probably be linked to your official or public tasks and legitimate interests is unlikely to be an option for you.   If you are a private organisation then legitimate interests may well be appropriate. Data Protection Practitioners’ Conference 2018 #DPPC2018

Consent provides a basis for processing but don’t assume it is the best or the only option – other bases for processing are often more appropriate.   If you provide online services to children on the basis of consent, the GDPR has some specific requirements about parental consent. To find out more browse or download our draft guidance on Children and the GDPR. Remember that consent isn’t your only option though, even in an online context. Data Protection Practitioners’ Conference 2018 #DPPC2018

For more information about identifying an appropriate basis for processing go to our Lawful Basis drop-in session or download our Guide to the GDPR.   For more information about how the lawful bases might apply to children’s personal data browse or download our draft guidance on Children and the GDPR. Data Protection Practitioners’ Conference 2018 #DPPC2018

Step 5 If you are processing ‘special categories of personal data’, such as health data or biometric data then have a look at Article 9 of the GDPR and Schedule 1 of the Data Protection Bill.   As well as having an Article 6 basis for processing you will need to satisfy an Article 9 condition to process special categories of children’s personal data. Data Protection Practitioners’ Conference 2018 #DPPC2018

Schedule 1 to the Data Protection Bill lists some circumstances in which Article 9 will provide a condition for processing in the UK. Most of these are quite specific and relate to particular processing scenarios. For example, one of them relates specifically to safeguarding children.   Remember that the Data Protection Bill is still going through Parliament and isn’t finalised yet, so if you identify a relevant Schedule 1 condition you will need to keep an eye on the wording in the Bill in case it changes. Data Protection Practitioners’ Conference 2018 #DPPC2018

For more information about conditions for processing special categories of personal data browse or download our Guide to the GDPR.   For more information about the Data Protection Bill download our Introduction to the Data Protection Bill. Data Protection Practitioners’ Conference 2018 #DPPC2018

Step 6 Think about whether your processing is fair and have a look at the data protection principles in Article 5 of the GDPR.   These principles should lie at the heart of all your processing of children’s personal data. Data Protection Practitioners’ Conference 2018 #DPPC2018

They cover matters such as keeping personal data secure, only collecting the minimum amount of personal data you need, and not keeping data for too long.   For more information about the data protection principles browse or download a copy of our Guide to the GDPR. Data Protection Practitioners’ Conference 2018 #DPPC2018

Step 7 Review the privacy information that you give to data subjects and make sure it is suitable for your intended audience. If you are addressing children directly then you should present the information in a child friendly way so that they will understand what you are telling them.   Consider using diagrams, cartoons, graphics, videos or other ways of presenting information that are likely to appeal to children. Data Protection Practitioners’ Conference 2018 #DPPC2018

In an online context consider using dashboards, icons, symbols and layered or just-in-time notices.   Make sure that you provide all the information you need to - the specific GDPR requirements are set out in Articles 13 and 14. For further information browse or download our Guide to the GDPR, our draft guidance on Children and the GDPR or download our Privacy Notices Code of Practice. Data Protection Practitioners’ Conference 2018 #DPPC2018

Step 8 Think about how you will help children to exercise their data protection rights.   Children have the same rights over their personal data that adults do. These include the right to be given a copy of their personal data (subject access), the right to have their personal data erased and the right to object to processing. Data Protection Practitioners’ Conference 2018 #DPPC2018

If you process children’s personal data then you need to make sure that your systems and processes for exercising these rights are easy for children to access and understand. In an online context you should consider the use of take down tools and the like.   You also need to think about if and when you will allow parents to exercise data protection rights on behalf of their children, and when this won’t be appropriate. For further information browse or download or Guide to the GDPR and draft guidance on Children and the GDPR Data Protection Practitioners’ Conference 2018 #DPPC2018

Step 9 Think about how you will demonstrate your compliance with the GDPR.   The same accountability requirements will apply when you are processing children’s personal data as when you are processing an adult’s personal data. These include requirements about when to appoint a Data Protection Officer and keeping records of processing activities. For further information about accountability and governance under the GDPR browse or download our Guide to the GDPR. Data Protection Practitioners’ Conference 2018 #DPPC2018

Step 10 Think about whether you will be using a data processor or transferring children’s personal data outside of the EU.   There are specific requirements in the GDPR which apply when you ask someone else to process data on your behalf or when you transfer personal data outside the EU. Although these are not child specific requirements you will still need make sure you meet them if you process children’s personal data in this way. Data Protection Practitioners’ Conference 2018 #DPPC2018

Step 11 Put procedures in place to keep your processing under review and to deal with any problems that arise.   Make sure that your security and compliance measures keep pace with new developments and changing technology, particularly in relation to age verification or parental consent verification solutions. Data Protection Practitioners’ Conference 2018 #DPPC2018

Think about any changes you may need to make as the child get older or becomes an adult. For example parental consent may be replaced by the data subjects own consent.   Put in place procedures to ensure you recognise and deal with any personal data breaches that may occur. For further information browse or download our Guide to the GDPR and our draft guidance on Children and the GDPR. Data Protection Practitioners’ Conference 2018 #DPPC2018

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2024 SlidePlayer.com. Inc. All rights reserved.