Data Protection and Children

Data protection law has existed in the UK since 1984 with several revisions each delivering more rights to individuals regarding their data privacy.

The explosion of the data driven economy led by the increasing reliance on the internet has raised many questions about privacy and security of, in some cases, our most personal of data that is now stored in vast server farms all over the world.

Data protection standards and system security are not the same in all countries across the world. The EU recognised that their citizens could possibly be at risk of unknowingly having their data harvested and used for a range of reasons without consent.

Fast forward to May 2016 when GDPR came into force with a 2-year grace period. I am sure we all remember the last-minute panic to try to get everything done in time for the May 25th 2018. In the UK, the Data Protection Act 2018 received Royal Assent and was committed to the UK statue books and complements GDPR.

Sitting alongside theses 2 pieces of legislation is PECR (Privacy of Electronic Communications Regulation) which governs privacy standards specifically on an electronic level – email marketing, tracking visitors to websites and communications security.

GDPR and Children

Under GDPR children have the same rights as adults and therefore can expect the same protection levels including exercising their rights to raise a subject access request and the right to be forgotten. However, they are deemed to be vulnerable due and as such additional considerations must be provided.

Even young children own their own data and can exercise their rights, parents do not own the children’s data and do not automatically have a legal right to raise a data subject access request regarding a child’s data. GDPR defines the age that a child can give consent as 16 however in the UK the age limit was lowered to 13.

Information provided to children in documentation (T&Cs, privacy policies etc) must be delivered in clear, simple language that is easily understood by them including, where necessary different versions for adults and children. If your business requires payment for services, then parent or guardian consent is required for children under 16.

Data controllers have a duty to make all reasonable efforts to ensure that adults giving consent on behalf of a child have parental responsibility for the child.

GDPR and Franchises

A Franchisors most asset is the brand and enforcement action taken against any of your Franchisees can result in serious damage to that brand.

It is important that Franchisors understand their own obligations both to their own business and to the individual franchise owners operating as separate businesses who also have their own compliance to manage.

Franchise documentation must include GDPR with clear management processes setting standards including reporting issues, particularly any enforcement actions to the Franchisor. This will allow reputational management where required.

A key feature of training for Franchisees should be GDPR awareness with guidance provided on their obligations and how to manage the processes required to provide compliance assurance.

Future Developments

The recent cancellation of the EU/US privacy shield requires immediate action by businesses, and this will bring change.

The ePrivacy Regulation will bring greater protection and stricter regulation of the digital world. Services such as Whatsapp, Skype, and other messenger apps will be impacted as will rules around Cookie management.

Balancing tech innovation and privacy has presented also challenges as we move into an era of AI and automated decision making with concerns that GDPR has stifled new service developments with concerns this has reduced individual choice. EU data protection authorities are aware they need to consider the need to protect privacy vs allowing access to data in cases such as child abuse, fraud and/or identity theft or other serious crime.


At the time of writing there are still many questions outstanding as trade negotiations are ongoing. However, it is likely that UK business compliance with GDPR, ePR and other EU regulations will still be required and therefore requirements to update, train and keep up to date will be ongoing.

Author: Jo Brianti, JLB Business Consulting

Jo Brianti is a GDPR and Systems Consultant who delivers GDPR training and compliance services, business management process development and improvement with supporting tech consultancy.

By becoming a member of ICAP you’re joining a community of like-minded professionals and business owners in the children’s activity sector working towards excellence

Pip Wilkins

Pip Wilkins is the Chief Executive of the British Franchise Association (bfa). With 25 years’ experience in the franchise sector, Pip has worked her way up within the Association, gaining insight from all areas of the business and the franchise industry. She is well-known and highly regarded in franchising for her dedication and depth of knowledge. Pip regularly speaks at conferences and seminars both domestically and internationally, as well as writing on franchising matters for national, local and franchising trade press. Pip is also a regular judge for the annual bfa HSBC Franchise Awards, the Franchise Marketing Awards and Global Franchise Awards. Pip represents the UK at both the European Franchise Federation (EFF) and World Franchise Council (WFC). The bfa has grown to be one of the largest franchise associations in Europe, and one of the most successful associations in the world.

Theo Millward

Theo Millward is a graduate of Lancaster University with a BBA in Management. In 2016 Theo purchased UK swim school, Swimtime from the founders which teaches 20,000 children a week. Following a multi-award- winning digital transformation, during the global pandemic, Theo and his team founded Franscape, a saas that digitally transforms Franchise brands. FranScape won New Business of the Year at the UK Business Awards.

Andy Georgiou

Andy is the Founder of ICAP and a leading UK Franchise Business Consultant. He is fiercely committed to helping children’s activity providers build successful and profitable businesses. With qualifications in Business Management, Digital Media and Marketing, he has helped build, advise and grow leading 6 and 7 fiqure children’s education, sports and activity brands in the past 17 years.

Frank Sahlein

Frank has been active in the Children’s Activity Center industry as an athlete, coach, business owner, consultant and business broker. He is a native of San Mateo, California and graduated from San Jose State University in California (USA).
Frank was a pioneer of the Children’s Learning Opportunity Center concept from 1976 – 2016 at the Wings Center in Boise, Idaho (USA) – a blend of Sports Instruction, Arts, Education, Entertainment and Outreach programs.
As a business management innovator, Frank has delivered over 1,000 presentations for a variety of Children’s Activity Center industries such as gymnastics, swimming, cheerleading, dance, martial arts/ninja and child care/education.
3rd Level Consulting is a Business Development and Service Provider Partner for private industry companies, associations, and organizations in the USA, Australia, Canada, New Zealand, Singapore, the United Kingdom, Mexico, and Panama.
Two-time recipient of the National Business Leader Award from USA Gymnastics, Frank is the author of “Building Your Business Potential” and “Designing Your Empowered Life”. He is the creator of the SmartEDGE™ Business Applications and Management Certification Courses. He is the co-founder of LEAP Learning and the MetaSpheres Corp, and is the founder and Executive Director of the International Association of Child Development Programs.
His passions include his beautiful wife Lourdes Gonzalez, family, friends, fitness training, transformational reading and travel.