2. Data protection impact assessments

What do you mean by a ‘DPIA’?

A DPIA is a defined process to help you identify and minimise the data protection risks of your service – and in particular the specific risks to children who are likely to access your service which arise from your processing of their personal data.

You should begin a DPIA early in the design of your service, before you start your processing. It should include these steps:

• Step 1: identify the need for a DPIA
• Step 2: describe the processing
• Step 3: consider consultation
• Step 4: assess necessity and proportionality
• Step 5: identify and assess risks arising from your processing
• Step 6: identify measures to mitigate the risks
• Step 7: sign off, record and integrate outcomes

The DPIA process is designed to be flexible and scalable. You can design a process that fits with your existing approach to design and development, as long as it contains these key elements, and the outcomes influence the design of your service. It does not need to be a time-consuming process in every case.

Why are DPIAs important?

DPIAs are a key part of your accountability obligations under the GDPR, and help you adopt a ‘data protection by design’ approach. A good DPIA is also an effective way to assess and document your compliance with all of your data protection obligations and the provisions of this code.

The GDPR says you must do a DPIA before you begin any type of processing that is likely to result in a high risk to the rights and freedoms of individuals.

This is not about whether your service is actually high risk, but about screening for potential indicators of high risk. The nature and context of online services within the scope of this code mean they inevitably involve a type of processing likely to result in a high risk to the rights and freedoms of children.

The ICO is required by Article 35(4) of the GDPR to publish a list of processing operations that require a DPIA. This list supplements GDPR criteria and relevant European guidelines, and includes: 

“the use of the personal data of children or other vulnerable individuals for marketing purposes, profiling or other automated decision-making, or if you intend to offer online services directly to children.”

Online services may also trigger several other criteria indicating the need for a DPIA, including innovative technology, large-scale profiling, biometric data, and online tracking. In practice, this means that if you offer an online service likely to be accessed by children, you must do a DPIA.

However, DPIAs are not just a compliance exercise. Your DPIA should consider compliance risks, but also broader risks to the rights and freedoms of children that might arise from your processing, including the potential for any significant material, physical, psychological or social harm.

An effective DPIA allows you to identify and fix problems at an early stage, designing data protection in from the start. This can bring cost savings and broader benefits for both children and your organisation. It can reassure parents that you protect their children’s interests and your service is appropriate for children to use. The consultation phase of a DPIA can also give children and parents the chance to have a say in how their data is used, help you build trust, and improve your understanding of child-specific needs, concerns and expectations. It may also help you avoid reputational damage later on.

How can we make sure that we meet this standard?

There is no definitive DPIA template, but you can use or adapt the template included as an annex to this code if you wish.

You must consult your Data Protection Officer (DPO) (if you have one) and, where appropriate, individuals and relevant experts. Any processors may also need to assist you.

Your DPIA must have a particular focus on the specific rights of and risks to children using your service that arise from your data processing. It should also assess and document your compliance with this code. You should build these additional elements into each stage of your DPIA, not bolt them on the end.

You need to follow the usual DPIA process set out in our separate guidance on how to conduct a DPIA, but you should build in the following specific issues at each stage.

Step 1: Identify when to do your DPIA

You must embed a DPIA into the design of any new online service that is likely to be accessed by children. You must complete your DPIA before the service is launched, and ensure the outcomes can influence your design. You should not treat a DPIA as a rubber stamp or tick-box exercise at the end of the design process.

You must also do a DPIA if you are planning to make any significant changes to the processing operations of an existing online service likely to be accessed by children.

An external change to the wider context of your service may also prompt you to review your DPIA. For example, if a new security flaw is identified, or a new public concern is raised over specific features of your service or particular risks to children.

Step 2: Describe the processing

You need to describe the nature, scope, context and purposes of the processing. In particular, you should include:

• whether you are designing your service for children;
• if not, whether children are nevertheless likely to access your service;
• the age range of those children;
• your plans, if any, for parental controls;
• your plans, if any, for establishing the age of your individual users;
• the intended benefits for children;
• the commercial interests (of yourself or third parties) that you have taken into account
• any profiling or automated decision-making involved;
• any geolocation elements;
• the use of any nudge techniques;
• any processing of special category data;
• any processing of inferred data;
• any current issues of public concern over online risks to children;
• any relevant industry standards or codes of practice;
• your responsibilities under the applicable equality legislation for England, Scotland, Wales and Northern Ireland; and
• any relevant guidance or research on the development needs, wellbeing or capacity of children in the relevant age range.

Step 3: Consult with children and parents

Depending on the size of your organisation, resources and the risks you have identified, you can seek and document the views of children and parents (or their representatives), and take them into account in your design.

We will expect larger organisations to do some form of consultation in most cases. For example, you could choose to get feedback from existing users, carry out a general public consultation, conduct market research, conduct user testing, or contact relevant children’s rights groups for their views. This should include feedback on the child’s ability to understand the ways you use their data and the information you provide. If you consider that it is not possible to do any form of consultation, or it is unnecessary or wholly disproportionate, you should record that decision in your DPIA, and be prepared to justify it to us. However, it is usually possible to carry out some form of market research or user feedback.

You should also consider seeking independent advice from experts in children’s rights and developmental needs as part of this stage. This is especially important for services which:

• are specifically designed for children;
• are designed for general use but known to be widely used by children (such as games or social media sites); or
• use children’s data in novel or unanticipated ways.

Step 4: Assess necessity, proportionality and compliance

You need to explain why your processing is necessary and proportionate for your service. You must also include information about how you comply with the GDPR, including:

• your lawful basis for processing (see Annex C);
• your condition for processing any special category data;
• measures to ensure accuracy, avoid bias and explain use of AI; and
• specific details of your technological security measures (eg hashing or encryption standards).

In addition, at this stage you should include an explanation of how you conform to each of the standards set out in this code.

Step 5: Identify and assess risks

You must consider the potential impact on children and any harm or damage your data processing may cause – whether physical, emotional, developmental or material. You should also specifically look at whether the processing could cause, permit or contribute to the risk of:

• physical harm;
• online grooming or other sexual exploitation;
• social anxiety, self-esteem issues, bullying or peer pressure;
• access to harmful or inappropriate content;
• misinformation or undue restriction on information;
• encouraging excessive risk-taking or unhealthy behaviour;
• undermining parental authority or responsibility;
• loss of autonomy or rights (including control over data);
• compulsive use or attention deficit disorders;
• excessive screen time;
• interrupted or inadequate sleep patterns;
• economic exploitation or unfair commercial pressure; or
• any other significant economic, social or developmental disadvantage.

You should bear in mind children’s needs and maturity will differ according to their age and development stage. Annex B should help you to consider this.

To assess the level of risk, you must consider both the likelihood and the severity of any impact on children. High risk could result from either a high probability of some harm, or a lower possibility of serious harm. You should bear in mind that some children will be less resilient than others, so you should always take a precautionary approach to assessing the potential severity of harm. You may find that there is a high risk for some age ranges, even if the risk for other age ranges is lower.

Step 6: Identify measures to mitigate those risks

You must consider whether you could make any changes to your service to reduce or avoid each of the risks you have identified. As a minimum, you should implement the measures set out in this code, but you should also consider whether you can put any additional safeguards in place as part of your service design.

Transparency is important. However, you should also identify and consider measures that do not rely on children’s ability or willingness to engage with your privacy information.

Step 7: Record the conclusion

If you have a DPO, you must record their independent advice on the outcome of the DPIA before making any final decisions.

You should record any additional measures you plan to take, and integrate them into the design of your service. If you identify a high risk that you are not mitigating, you must consult the ICO before you can go ahead.

It is good practice to publish your DPIA.