Presentation is loading. Please wait.

Presentation is loading. Please wait.

Preparing for the GDPR - What do we need to do if we process children’s personal data? Data Protection Practitioners’ Conference 2018 #DPPC2018.

Published byNelson McDonald Modified over 5 years ago

Similar presentations

Presentation on theme: "Preparing for the GDPR - What do we need to do if we process children’s personal data? Data Protection Practitioners’ Conference 2018 #DPPC2018."— Presentation transcript:

1 Preparing for the GDPR - What do we need to do if we process children’s personal data?
Data Protection Practitioners’ Conference 2018 #DPPC2018

2 Step 1 Read our Guide to the GDPR and our draft guidance on Children and the GDPR. Browse a copy in our reading area, or download from our website Data Protection Practitioners’ Conference 2018 #DPPC2018

3 #DPPC2018 Step 2 Do an information audit
Work out what personal data you hold about children, what you do with it and why Data Protection Practitioners’ Conference 2018 #DPPC2018

4 Step 3 Identify what risks to the child might arise from your processing and think about how you can mitigate them. Data Protection Practitioners’ Conference 2018 #DPPC2018

5 Consider doing a Data Protection Impact Assessment to help you assess this - This is always a good idea and if your processing is ‘high risk’ then it’s a requirement of the GDPR. A DPIA is particularly important when you are providing online services for children, profiling them, making automated decisions about them, or targeting them with marketing. Data Protection Practitioners’ Conference 2018 #DPPC2018

6 For more information about what you need to consider in these scenarios browse or download our draft guidance on Children and the GDPR. For more information about Data Protection Impact Assessments go to our DPIA drop-in session or download our Guide to the GDPR. Data Protection Practitioners’ Conference 2018 #DPPC2018

7 Step 4 Have a look at the lawful bases for processing set out at Article 6 of the GDPR. You will need to have an Article 6 lawful basis for processing for everything that you do with children’s personal data. Data Protection Practitioners’ Conference 2018 #DPPC2018

8 #DPPC2018 The 6 available bases are: Consent
Consent Necessary for the performance of a contract Compliance with a legal obligation Necessary to protect the vital interests of a natural person Public task Legitimate interests Data Protection Practitioners’ Conference 2018 #DPPC2018

9 If you are a Public Authority then much of what you do will probably be linked to your official or public tasks and legitimate interests is unlikely to be an option for you. If you are a private organisation then legitimate interests may well be appropriate. Data Protection Practitioners’ Conference 2018 #DPPC2018

10 Consent provides a basis for processing but don’t assume it is the best or the only option – other bases for processing are often more appropriate. If you provide online services to children on the basis of consent, the GDPR has some specific requirements about parental consent. To find out more browse or download our draft guidance on Children and the GDPR. Remember that consent isn’t your only option though, even in an online context. Data Protection Practitioners’ Conference 2018 #DPPC2018

11 For more information about identifying an appropriate basis for processing go to our Lawful Basis drop-in session or download our Guide to the GDPR. For more information about how the lawful bases might apply to children’s personal data browse or download our draft guidance on Children and the GDPR. Data Protection Practitioners’ Conference 2018 #DPPC2018

12 Step 5 If you are processing ‘special categories of personal data’, such as health data or biometric data then have a look at Article 9 of the GDPR and Schedule 1 of the Data Protection Bill. As well as having an Article 6 basis for processing you will need to satisfy an Article 9 condition to process special categories of children’s personal data. Data Protection Practitioners’ Conference 2018 #DPPC2018

13 Schedule 1 to the Data Protection Bill lists some circumstances in which Article 9 will provide a condition for processing in the UK. Most of these are quite specific and relate to particular processing scenarios. For example, one of them relates specifically to safeguarding children. Remember that the Data Protection Bill is still going through Parliament and isn’t finalised yet, so if you identify a relevant Schedule 1 condition you will need to keep an eye on the wording in the Bill in case it changes. Data Protection Practitioners’ Conference 2018 #DPPC2018

14 For more information about conditions for processing special categories of personal data browse or download our Guide to the GDPR. For more information about the Data Protection Bill download our Introduction to the Data Protection Bill. Data Protection Practitioners’ Conference 2018 #DPPC2018

15 Step 6 Think about whether your processing is fair and have a look at the data protection principles in Article 5 of the GDPR. These principles should lie at the heart of all your processing of children’s personal data. Data Protection Practitioners’ Conference 2018 #DPPC2018

16 They cover matters such as keeping personal data secure, only collecting the minimum amount of personal data you need, and not keeping data for too long. For more information about the data protection principles browse or download a copy of our Guide to the GDPR. Data Protection Practitioners’ Conference 2018 #DPPC2018

17 Step 7 Review the privacy information that you give to data subjects and make sure it is suitable for your intended audience. If you are addressing children directly then you should present the information in a child friendly way so that they will understand what you are telling them. Consider using diagrams, cartoons, graphics, videos or other ways of presenting information that are likely to appeal to children. Data Protection Practitioners’ Conference 2018 #DPPC2018

18 In an online context consider using dashboards, icons, symbols and layered or just-in-time notices.
Make sure that you provide all the information you need to - the specific GDPR requirements are set out in Articles 13 and 14. For further information browse or download our Guide to the GDPR, our draft guidance on Children and the GDPR or download our Privacy Notices Code of Practice. Data Protection Practitioners’ Conference 2018 #DPPC2018

19 Step 8 Think about how you will help children to exercise their data protection rights. Children have the same rights over their personal data that adults do. These include the right to be given a copy of their personal data (subject access), the right to have their personal data erased and the right to object to processing. Data Protection Practitioners’ Conference 2018 #DPPC2018

20 If you process children’s personal data then you need to make sure that your systems and processes for exercising these rights are easy for children to access and understand. In an online context you should consider the use of take down tools and the like. You also need to think about if and when you will allow parents to exercise data protection rights on behalf of their children, and when this won’t be appropriate. For further information browse or download or Guide to the GDPR and draft guidance on Children and the GDPR Data Protection Practitioners’ Conference 2018 #DPPC2018

21 Step 9 Think about how you will demonstrate your compliance with the GDPR. The same accountability requirements will apply when you are processing children’s personal data as when you are processing an adult’s personal data. These include requirements about when to appoint a Data Protection Officer and keeping records of processing activities. For further information about accountability and governance under the GDPR browse or download our Guide to the GDPR. Data Protection Practitioners’ Conference 2018 #DPPC2018

22 Step 10 Think about whether you will be using a data processor or transferring children’s personal data outside of the EU. There are specific requirements in the GDPR which apply when you ask someone else to process data on your behalf or when you transfer personal data outside the EU. Although these are not child specific requirements you will still need make sure you meet them if you process children’s personal data in this way. Data Protection Practitioners’ Conference 2018 #DPPC2018

23 Step 11 Put procedures in place to keep your processing under review and to deal with any problems that arise. Make sure that your security and compliance measures keep pace with new developments and changing technology, particularly in relation to age verification or parental consent verification solutions. Data Protection Practitioners’ Conference 2018 #DPPC2018

24 Think about any changes you may need to make as the child get older or becomes an adult. For example parental consent may be replaced by the data subjects own consent. Put in place procedures to ensure you recognise and deal with any personal data breaches that may occur. For further information browse or download our Guide to the GDPR and our draft guidance on Children and the GDPR. Data Protection Practitioners’ Conference 2018 #DPPC2018

Download ppt "Preparing for the GDPR - What do we need to do if we process children’s personal data? Data Protection Practitioners’ Conference 2018 #DPPC2018."

Similar presentations

Data Protection Paul Veysey & Bethan Walsh. Introduction Data Protection is about protecting people by responsibly managing their data in ways they expect.

Data Protection Paul Veysey & Bethan Walsh. Introduction Data Protection is about protecting people by responsibly managing their data in ways they expect.
Can you share? Yes you can!! Angus Council Adult Protection Maureen H Falconer, Senior Policy Officer Information Commissioner’s Office.

Can you share? Yes you can!! Angus Council Adult Protection Maureen H Falconer, Senior Policy Officer Information Commissioner’s Office.
The EU General Data Protection Regulation Frank Rankin.

The EU General Data Protection Regulation Frank Rankin.
General Data Protection Regulation (EU 2016/679)

General Data Protection Regulation (EU 2016/679)
GDPR 12 POINTS 679/2016 DATA LEX 2016.

GDPR 12 POINTS 679/2016 DATA LEX 2016.
Tony Sheppard Mobile Guardian

Tony Sheppard Mobile Guardian
Presentation to GTMC on GDPR

Presentation to GTMC on GDPR
General Data Protection Regulation (GDPR)

General Data Protection Regulation (GDPR)
GDPR Awareness and Training Workshop

GDPR Awareness and Training Workshop
General Data Protection Regulation

General Data Protection Regulation
General Data Protection Regulations Preparing for the upcoming changes in data protection law David Jones & Angharad Williams.

General Data Protection Regulations Preparing for the upcoming changes in data protection law David Jones & Angharad Williams.
Museums + Heritage webinar, 30 November 2017

Museums + Heritage webinar, 30 November 2017
The EU General Data Protection Regulation (GDPR)

The EU General Data Protection Regulation (GDPR)
GDPR Overview Gydeline – October 2017

GDPR Overview Gydeline – October 2017
Data Protection Update – GDPR or bust

Data Protection Update – GDPR or bust
GDPR Overview GDPR - General Data Protection Regulations

GDPR Overview GDPR - General Data Protection Regulations
GDPR support January GDPR support January 2018.

GDPR support January GDPR support January 2018.
GDPR Overview Gydeline – October 2017

GDPR Overview Gydeline – October 2017
The European Union General Data Protection Regulation (GDPR)

The European Union General Data Protection Regulation (GDPR)
Nina Barakzai November 2017

Nina Barakzai November 2017

Similar presentations

Ads by Google