Data Protection and Children

Data protection law has existed in the UK since 1984 with several revisions each delivering more rights to individuals regarding their data privacy.

The explosion of the data driven economy led by the increasing reliance on the internet has raised many questions about privacy and security of, in some cases, our most personal of data that is now stored in vast server farms all over the world.

Data protection standards and system security are not the same in all countries across the world. The EU recognised that their citizens could possibly be at risk of unknowingly having their data harvested and used for a range of reasons without consent.

Fast forward to May 2016 when GDPR came into force with a 2-year grace period. I am sure we all remember the last-minute panic to try to get everything done in time for the May 25th 2018. In the UK, the Data Protection Act 2018 received Royal Assent and was committed to the UK statue books and complements GDPR.

Sitting alongside theses 2 pieces of legislation is PECR (Privacy of Electronic Communications Regulation) which governs privacy standards specifically on an electronic level – email marketing, tracking visitors to websites and communications security.

GDPR and Children

Under GDPR children have the same rights as adults and therefore can expect the same protection levels including exercising their rights to raise a subject access request and the right to be forgotten. However, they are deemed to be vulnerable due and as such additional considerations must be provided.

Even young children own their own data and can exercise their rights, parents do not own the children’s data and do not automatically have a legal right to raise a data subject access request regarding a child’s data. GDPR defines the age that a child can give consent as 16 however in the UK the age limit was lowered to 13.

Information provided to children in documentation (T&Cs, privacy policies etc) must be delivered in clear, simple language that is easily understood by them including, where necessary different versions for adults and children. If your business requires payment for services, then parent or guardian consent is required for children under 16.

Data controllers have a duty to make all reasonable efforts to ensure that adults giving consent on behalf of a child have parental responsibility for the child.

GDPR and Franchises

A Franchisors most asset is the brand and enforcement action taken against any of your Franchisees can result in serious damage to that brand.

It is important that Franchisors understand their own obligations both to their own business and to the individual franchise owners operating as separate businesses who also have their own compliance to manage.

Franchise documentation must include GDPR with clear management processes setting standards including reporting issues, particularly any enforcement actions to the Franchisor. This will allow reputational management where required.

A key feature of training for Franchisees should be GDPR awareness with guidance provided on their obligations and how to manage the processes required to provide compliance assurance.

Future Developments

The recent cancellation of the EU/US privacy shield requires immediate action by businesses, and this will bring change.

The ePrivacy Regulation will bring greater protection and stricter regulation of the digital world. Services such as Whatsapp, Skype, and other messenger apps will be impacted as will rules around Cookie management.

Balancing tech innovation and privacy has presented also challenges as we move into an era of AI and automated decision making with concerns that GDPR has stifled new service developments with concerns this has reduced individual choice. EU data protection authorities are aware they need to consider the need to protect privacy vs allowing access to data in cases such as child abuse, fraud and/or identity theft or other serious crime.


At the time of writing there are still many questions outstanding as trade negotiations are ongoing. However, it is likely that UK business compliance with GDPR, ePR and other EU regulations will still be required and therefore requirements to update, train and keep up to date will be ongoing.

Author: Jo Brianti, JLB Business Consulting

Jo Brianti is a GDPR and Systems Consultant who delivers GDPR training and compliance services, business management process development and improvement with supporting tech consultancy.

By becoming a member of ICAP you’re joining a community of like-minded professionals and business owners in the children’s activity sector working towards excellence