What steps should organisations take to prepare for the ICO Children’s code?

The ICO’s Age Appropriate Design Code, also known as the Children’s Code, sets out 15 standards that organisations must meet to ensure that children’s experiences and personal data is protected online.

The below three steps are essential and need to be taken now before the deadline on 2nd September 2021.

1. Establish whether your organisation is in scope, and how you evidence this.

All organisations must assess whether they are in scope or not, and how they came to make this assessment. The two basic questions to ask are:

• Does our service amount to a relevant information society service; and
• Is that service likely to be accessed by children?

If the answer to both these questions is “yes”, then your organisation needs to be taking steps to ensure compliance. Even if the answer is “no” and you do not believe you are in scope, then you still need to document and evidence that decision. User testing and surveys, market research and academic literature will all be helpful to support your decision.

2. Undertake or review your current Data Protection Impact Assessment (DPIA)

If your organisation’s services are in scope, then you need to undertake an applicable DPIA. The ICO has published a template DPIA in the Code.

A DPIA is a detailed documentary exercise, where organisations need to map out the personal data collected by the organisation, the risks to data subjects of the data processing the organisation performs on the personal data, and how those risks are mitigated. In order to comply with the Code, the DPIA (or the update) will need to take into account these things with children specifically in mind, paying particular attention to differing age ranges, capacities and development needs.A detailed DPIA will be essential to proving compliance with the Code and other data protection legislation in the event of a complaint, dispute or investigation by the ICO.

3. Set out your next steps and be honest about work still to be done.

The ICO will assess conformity to the Code against the 15 headline standards. If your DPIA highlights any non-compliance with the Code, it is important to document the issues along with a plan for addressing each one.

Setting out your next steps and any work still to be done will demonstrate that your organisation is taking the Code seriously, even if you aren’t yet fully compliant. It also allows you to measure your progress as you work towards compliance.

Organisations should take a risk-based approach and prioritise work on the biggest issues first. If you haven’t taken any action yet, a realistic timeline which you stick to, will be a useful tool not just for ensuring compliance, but demonstrating your organisation’s commitment to the Code.

Where can organisations get additional support?

SMB’s tech team is on hand to support your organisation, whether you are just starting to assess the scope of the Code, have more detailed queries about the Code, or need help with particular aspects of your compliance.

For more information and support on this topic please contact SMB’s Tech, IP and Digital Rights Team by emailing Raoul Lumb.