The DPC is determined to drive a transformation in how the personal data of children is handled and the Fundamentals represent an important stepping stone in this evolution.
Given that the Fundamentals will inform the DPC’s approach to supervision, regulation and enforcement in the area of processing of children’s personal data, all controllers who process children’s data should carefully review this guidance and take its recommendations on board.
The DPC considers that where organisations have conducted (or have failed to conduct) a thorough and meaningful DPIA in relation to the processing of personal data of child users, this will be a relevant factor in any assessment by the DPC of an organisation’s compliance with its obligations under the GDPR, particularly in relation to the controller’s responsibilities under Article 24 (as referenced at the beginning of Section 7) including the obligation to take account of the varying likelihood and severity of risks posed to individuals as result of the processing of their personal data. A child-oriented DPIA is the first step in mitigating risk arising from processing children’s personal data, and will be seen as a key act of compliance with existing legal requirements for protecting the position of children as data subjects.
About The Fundamentals Collaboration Toolkit
During 2021/2022 we engaged in a consultation and observation process with the Data Protection Commission (DPC) Ireland, to digitally transform Section 7 tools into an online collaboration Child-Oriented DPIA and Data Protection by Design and Default toolkit with Microsoft 365 Excel . This toolkit empowers organisations with collaborative cloud-based templates solution, to simplify compliance with key principles 13 and 14 of the Fundamentals; and also includes toolkits based on ENOC » Child Rights Impact Assessment:
- 13. DO A DPIA: Online service providers should undertake data protection impact assessments (DPIA) to minimise the data protection risks of their services, and in particular the specific risks to children which arise from the processing of their personal data. The principle of the best interests of the child must be a key criterion in any DPIA and must prevail over the commercial interests of an organisation in the event of a conflict between the two sets of interests (Section 7.1 “Data Protection Impact Assessments”).
- 14. BAKE IT IN: Online service providers that routinely process children’s personal data should, by design and by default, have a consistently high level of data protection which is “baked in” across their services (Section 7.2 “Data Protection by Design and Default”).
- Child Rights Impact Assessment: Child Rights Impact Assessment (CRIA) examines the potential impacts on children and young people of laws, policies, budget decisions, programmes and services as they are being developed and, if necessary, suggests ways to avoid or mitigate any negative impacts. This is done prior to the decision or action being set in place. ENOC » Child Rights Impact Assessment
"Accordingly, organisations may wish to consider the use of CRIAs as a tool for translating the best interests of the child principle into practice. In the DPC’s view, doing a comprehensive CRIA represents a powerful tool for assisting an organisation in demonstrating its compliance with its Article 24 and 25 GDPR obligations in respect of processing children’s data."
A GDPR collaborative solution with Microsoft 365 Excel to help implement and demonstrate compliance with The Fundamentals
"The DPC notes that complying with an age-appropriate/child-oriented regime of data protection will involve costs and take creativity on the part of service designers, however, children are one in three users, and represent the adult market of the future. A healthy and supportive relationship with children is therefore, in the long-term, to the benefit of brands and businesses across all sectors." The Fundamentals
7.1 Data Protection Impact Assessment (DPIA)
1.2 The Fundamentals
7.1 Child-Oriented Data Protection Impact Assessment (DPIA)
