The ICO’s Age Appropriate Design Code, also known as the Children’s Code, sets out 15 standards that organisations must meet to ensure that children’s experiences and personal data is protected online.
The below three steps are essential and need to be taken now before the deadline on 2nd September 2021.
1. Establish whether your organisation is in scope, and how you evidence this.
All organisations must assess whether they are in scope or not, and how they came to make this assessment. The two basic questions to ask are:
If the answer to both these questions is “yes”, then your organisation needs to be taking steps to ensure compliance. Even if the answer is “no” and you do not believe you are in scope, then you still need to document and evidence that decision. User testing and surveys, market research and academic literature will all be helpful to support your decision.
2. Undertake or review your current Data Protection Impact Assessment (DPIA)
If your organisation’s services are in scope, then you need to undertake an applicable DPIA. The ICO has published a template DPIA in the Code.
A DPIA is a detailed documentary exercise, where organisations need to map out the personal data collected by the organisation, the risks to data subjects of the data processing the organisation performs on the personal data, and how those risks are mitigated. In order to comply with the Code, the DPIA (or the update) will need to take into account these things with children specifically in mind, paying particular attention to differing age ranges, capacities and development needs.A detailed DPIA will be essential to proving compliance with the Code and other data protection legislation in the event of a complaint, dispute or investigation by the ICO.
3. Set out your next steps and be honest about work still to be done.
The ICO will assess conformity to the Code against the 15 headline standards. If your DPIA highlights any non-compliance with the Code, it is important to document the issues along with a plan for addressing each one.
Setting out your next steps and any work still to be done will demonstrate that your organisation is taking the Code seriously, even if you aren’t yet fully compliant. It also allows you to measure your progress as you work towards compliance.
Organisations should take a risk-based approach and prioritise work on the biggest issues first. If you haven’t taken any action yet, a realistic timeline which you stick to, will be a useful tool not just for ensuring compliance, but demonstrating your organisation’s commitment to the Code.
Where can organisations get additional support?
SMB’s tech team is on hand to support your organisation, whether you are just starting to assess the scope of the Code, have more detailed queries about the Code, or need help with particular aspects of your compliance.
For more information and support on this topic please contact SMB’s Tech, IP and Digital Rights Team by emailing Raoul Lumb.
Simons Muirhead Burton is pleased to have acted for founders of employee benefits specialists Drewberry Limited on their sale to global insurance leader Brown & Brown.
Read moreFollowing his ongoing high profile LinkedIn campaign and the series of articles that he has written on the Horizon Post Office Scandal, Partner and Co-head of SMB’s Commercial Media team, Simon Goldberg has made a podcast with former Sub-Postmaster Lee Castleton.
Read moreSimons Muirhead Burton is proud to have advised on the acquisition of the sequel and television rights to the Academy Award-winning film Slumdog Millionaire.
Read more