Although this blog is significantly shorter than previous blogs it covers a significant area of the GDPR that could have a huge impact on unprepared organisations.
Many organisations’ initial view will be that the need to have policies in place for children in their GDPR compliance is unnecessary. When an organisation operates exclusively within the business to business arena the extra requirements surrounding children’s data appears a distraction at first viewing. However, look deeper and the potential significance for every business becomes abundantly clear. The GDPR best practice suggests that organisations should consider for example whether or not systems should be in place to verify the age of individuals who either enter data into contact forms or request information via the organisation’s website, and allied to this and perhaps even more importantly they should consider the need to obtain parental or guardian consent for any potential data processing activities.
The GDPR has ‘special’ protection for children’s personal data, the details of which are beyond the scope of this blog. However, organisations that have links to or from social media sites should be aware of this. For reference the GDPR sets the age for when a child can give consent in their own right to data processing at 16 (this age limit may be lowered to 13 within the UK in certain very specific instances). Consequently, children under the age of 16 will require both the data controller and the data processer to obtain consent from the person who holds ‘parental responsibility’ for the child.
There are obvious and significant implications for all organisations not least those that are active on social media with links to their website, even when they would regard themselves as an organisation that would not normally hold data regarding children. Referring back to our blog regarding consent it must be remembered that consent has to be verifiable, and that the privacy notice must be written in language that is unambiguous and easy to understand – for every potential [user][visitor].