The EU General Data Protection Regulation (GDPR) came into force on May 25th, 2018. What does this mean for businesses around the world? Data controllers and processors globally will need to adhere to the regulation if collecting, using and storing personal data of EU citizens. The regulation provides the same rights for children that all data subjects enjoy but with added protections. Violations will result in hefty fines. Here are the top 5 things to know in regards to children’s privacy:
1. Know what personal data you process.
Ask yourself: Do you know what you collect, where it comes from, and who you share it with?
Notice must be provided for each purpose that the personal data is being processed. It is not valid to seek blanket consent from a data subject by asking them for example to agree to “all our processing needs.”
2. Understand your data subject’s rights in regards to their personal data.
Ask yourself: How well do you know the rights of your data subjects?
Data subjects have a number of rights over their personal data. Minors have enhanced protection and rights. Parents that provide consent on behalf of a child also have increased rights. It is key to understand these rights and ensure you have process in place to meet them.
3. Verify role or age of minors.
Ask yourself: How are you going to verify age according to the age of consent in each EU Member State?
If your service attracts minors at or above the age of consent you have a responsibility to verify their status (e.g., role or age). This policy is still under discussion, so showing steps taken to verify the minor has reached the age of consent will need to be addressed.
4. Obtain parental consent if needed.
Ask yourself: Do you have a secure method of obtaining parent consent?
Meaningful parental consent and how to obtain it will depend on the sensitivity of the personal data collected. Understand what you are collecting and processing and the level of consent needed from the holder of parental responsibility.
5. Be prepared in case of a data breach.
Ask yourself: Do you understand your obligations for data breach notification?
A security information policy is key to storing personal data, but do you also have a data breach notification policy in place? What steps will you take in the event of a breach to investigate, inform and mitigate. These are key questions that need to be answered.
PRIVO can support your app or site to ensure compliance and avoid violations. It’s not too late to get your service in shape. PRIVO's experience in the children's online privacy space and position as an influencer in the industry ensures the highest standards of support for your organization. Learn more about PRIVO's GDPRkids™ Privacy Assurance program.