What the ICO says –
“You should start thinking now about whether you need to put systems in place to verify individuals’ ages and to obtain parental or guardian consent for any data processing activity.”
What does this mean for your organisation –
Does your organisation offer goods or service to children? If you said no, Prove it! How do you know that the person you sell to is not a child in the eyes of the local EU law for a member state?
It is your responsibility to verify the age of the individual and process PII accordingly. Bear in mind that if your organisation offers goods or services to EU member states then the lawful age of consent relating to data may be different to that of your organisations country and as such needs to be dealt with accordingly.
If it is a minor then how do you get parental or guardian consent? Don’t forget that once you have consent you have to be able to audit correctly. Also, removal of consent needs addressing and this can be a real can of wigglies, as removal of consent doesn’t always require parental or guardian notification.
Love them or loath them, children have rights too and in certain situations extremely strong rights, so get identifying your systems and get the correct ones in place.
Ironically the penalties for data breaches of the PII of a child are around 50% of that for an adult PII breach but I would confidently assume that the ICO would be far less forgiving when deciding on the size of a penalty for the breach of the PII of a child.
The 12 Days of GDPR snippets are not designed as a guide to make your organisation GDPR compliant, they are just to whet your appetite to get you started. BMGUK Consultancy Ltd has one of the few certified EU GDPR Practitioners in the UK, so get in touch and I can assist your organisation to become GDPR compliant.
What is the GDPR? – It is the new evolution of data protection across the EU. On May 25th, 2018 the General Data Protection Regulation becomes enforceable so if your organisation processes personally identifiable information of any EU resident then you need to be prepared for the GDPR otherwise your organisation could face significant penalties.
From the largest multinational down to the smallest of sports clubs anywhere in the world, if your organisation offers goods or services, even free ones, to EU residents then it is highly likely that your organisation will be required to comply with the GDPR.
Whether your organisation is based in the UK or overseas, get in touch with BMGUK Consultancy Ltd for all your GDPR needs.