We were at a conference recently when someone asked how, under the EU General Data Protection Regulation (GDPR), children’s charities should get consent from children who contact them.
To be clear, Recital 38 states that people under a certain age (which is at member states’ discretion, but must be between 13 and 16) are considered children, and their consent must meet the GDPR’s child consent requirements. This includes the stipulation that consent be given by someone with “parental responsibility”.
However, Recital 38 also states: “The consent of the holder of parental responsibility should not be necessary in the context of preventive or counselling services offered directly to a child.”
If your charity fulfils either of those functions, you won’t need parental consent, but you will need to meet the other requirements of lawful data processing.
Child consent requirements
The GDPR strengthens and expands data subjects’ rights, and it lists specific requirements for lawful consent requests and child consent.
The biggest change to consent requirements under the GDPR is that they must be given with a clear affirmative action. In other words, individuals need to be given a mechanism that involves a deliberate action to opt in, as opposed to pre-ticked boxes.
The terms for consent must also be written in simple language and take into account their target audience.
But remember, consent is only one of six lawful grounds for processing data, and it’s generally the least preferable option. If your organisation can find another basis for processing data, that should always be used instead.
The GDPR isn’t soft on charities
You might expect lawmakers to be more lenient with charities, but that definitely isn’t the case. As with current data protection laws, the GDPR treats charities in much the same way as private companies. Systems must be kept secure, volunteers must be held to the same standards of data protection training as paid employees and data breaches will be met with disciplinary action.
If you want to know about your organisation’s obligations under the GDPR, you should consider enrolling on one of our GDPR training courses.
Our one-day Certified EU General Data Protection Regulation Foundation (GDPR) Training Course provides a comprehensive introduction to the GDPR and helps you understand the implications and legal requirements for organisations.
Delivered by an experienced data protection practitioner, the course is built on the foundations of our knowledge of data privacy laws and information security standards such as ISO 27001.
For a more in-depth course, you should enrol on our four-day Certified EU General Data Protection Regulation Practitioner (GDPR) Training Course. This programme helps you gain a practical understanding of the tools and methods for implementing and managing an effective compliance framework.
Ideal for anyone looking to fulfil the DPO role, the course focuses on how the data protection principles work in practice, the policies and procedures necessary, and practical guidance on how to implement an effective privacy and information security compliance programme.
Book these programmes together in our combination course and you’ll save 15%.