←Back to News

5 July 2021

Compliance with the Children’s Code: Data Protection Impact Assessments

By Faye Cheung, Researcher

Photo by Teo Zac on Unsplash

The Children’s Code comes into force on 2nd September 2021. All organisations within scope of the Children’s Code must be compliant by this date. Its scope covers those who provide ‘information society services likely to be accessed by children’.[1] This means that online services such as social media sites, news services, apps, programs, games and even toys that are connected to the internet are subject to the Code. This is mainly applicable to for-profit online services, which can include educational websites. For example, monetised educational apps that are likely to be used by children, even if they’re not primarily targeting children, will need to conform to the Code. If you are a public authority which provides an online public service then, as long as the type of service you offer is not typically provided on a commercial basis your service is not a relevant ISS. This is because it is not a service ‘normally provided for remuneration’.

Organisations who provide such services should not be daunted by the prospect of ensuring compliance because the Code’s principles are in line with the principles of the UK GDPR, which organisations should be practicing already to some extent. However, there are specific steps that such organisations do need to take before the 2nd September. One specific obligation under the Children’s Code is that organisations must complete a Data Protection Impact Assessment (DPIA).  This is both parts of the Children’s Code and is it is also a requirement of the UK GDPR.  Under the UK GDPR a DPIA must be completed before an organisation begins any type of data processing. Under the Children’s Code undertaking a DPIA will help organisations identify and mitigate data protection risks to children who are likely to access it. If organisations have not already done so then they should conduct a DPIA on their relevant existing services before September 2021. Going forward organisations should conduct a DPIA during the early design phase of any new relevant service before any personal data is processed.

DPIAs will help organisations to protect the rights and freedoms of children, as well as to protect themselves from penalties from the Code’s regulator, the Information Commissioner’s Office (ICO) or from later reputational damage. Furthermore, DPIAs will help protect from legal challenges from individuals or from groups of individuals – such as seen with the ongoing class action against Tiktok, where the former Children’s Commissioner for England, Anne Longfield, is suing Tiktok on behalf of millions of children in the UK and EU.[2] It is argued that Tiktok is taking and using children’s personal data without adequate warning, transparency or adequate consent from the children or their parents.[3] Therefore, considering the risks of non-compliance, it is important that DPIAs are conducted genuinely and thoroughly and not just as tick box exercises.

As emphasised by the ICO, the DPIA process is designed to be ‘flexible and scalable’ and therefore the process can be tailored to suit your organisation’s needs.[4] A helpful step by step guide as to how to conduct a DPIA is available on the ICO website here. Conducting DPIAs are just one of 15 ‘standards’ of the Children’s Code, which relevant organisations must meet.[5] For advice on how to achieve compliance with the full code visit the ICO’s Children’s code hub here. The ICO also have a brief explanatory video which is a great introduction to the Code for those who


[1] and [4] https://ico.org.uk/about-the-ico/news-and-events/news-and-blogs/2021/05/spotlight-on-the-children-s-code-standards-data-protection-impact-assessments/

[2] and [3] https://www.bbc.co.uk/news/technology-56815480#:~:text=TikTok%20is%20facing%20a%20legal,collects%20and%20uses%20children’s%20data.&text=If%20successful%2C%20the%20children%20affected,and%20it%20would%20fight%20it

[5] https://ico.org.uk/for-organisations/guide-to-data-protection/key-data-protection-themes/age-appropriate-design-a-code-of-practice-for-online-services/code-standards/


© Naomi Korn Associates, 2021. Some Rights Reserved. The text is licensed for use under a Creative Commons Attribution Share Alike Licence (CC BY SA)

Disclaimer: The contents of this blog post are based on the assessment of Naomi Korn Associates Ltd at the time in which the resource was created (July 2021). The contents should not be considered legal advice. If such legal advice is required, the opinion of a suitably qualified legal professional should be sought.