Child Data Protection: Animation Studio Case
Key Issues and Solutions
1. Register of Personal Data Processing
- The company already had a well-established information security system. They shared data flow diagrams and a list of recipients, which significantly accelerated the process of filling out the register.
- We supplemented the scheme and register with processing activities found during the user journey – a mini-audit where the consultant analyzes the application functionality from the user’s perspective. Then we proceeded to select legal grounds.
- The project scope also included employee data processing, as the company is based in Cyprus.
2. GDPR Compliance Action Plan
- The register reflected the state of data protection at the time of completion. We identified gaps and compiled a list of recommendations (action plan) to achieve GDPR compliance.
- For each processing activity, we added both mandatory GDPR requirements and recommendations for transparency and data minimization.
- Together with the client, we selected priority measures and began working on their implementation.
3. Child-Oriented Privacy Policy
Considering that the company’s main audience is children, we developed a simplified version of the privacy policy. At the same time, it contained all the requirements of Articles 13 and 14 of the GDPR.
4. Use of Cookies
Even before the website launch, we worked on the cookie banner so that the marketing department wouldn’t have to look for new solutions or change the established process later. We prepared detailed recommendations for setting up the banner for the development department. Our team also consulted on which analytical services should not be used due to higher privacy risks for children.
5. Age Verification and Parental Control
Another important aspect of the project was the authorization algorithm and the introduction of parental control. We recommended asking for the user’s age when entering the application/creating a personal account on the website to distinguish them from others. This is necessary to avoid showing targeted advertising to children, as GDPR prohibits this, and to request parental consent where necessary.
6. Data Protection Impact Assessment (DPIA)
We conducted DPIA for key data processing activities and analyzed about 20 risk scenarios. Given the vulnerability of children, we recommended simplifying the interface for children’s accounts, reviewing data retention periods, and considering anonymization.
7. Internal Data Protection Policy
To ensure that all actions were supported by the company, we developed an Internal Personal Data Protection Policy. The policy includes general data processing rules, clear instructions on when to consult with the DPM, an algorithm for responding to subject requests, and data security breach responses. This step was necessary to maintain the established level of compliance.
8. Recommendations Implementation Report
At the conclusion of the project, we prepared a report on the work done, assessed the level of implementation of our recommendations, and summarized further, less priority actions that would improve the level of compliance. In the report, we provided examples of relevant cases and potential fines for non-compliance.
Results
- Personal data processing register in Notion.
- Privacy policy that takes into account the interests of children.
- Detailed requirements for the banner and cookie policy in accordance with GDPR.
- DPIA reports for risk scenarios.
- Recommendations for processing children’s data in accordance with GDPR.
- Internal data protection policy to maintain compliance efforts.
- Report on the current status and next steps.
We are here for you!
When you complete the form, you will:
- Have the opportunity to ask questions concerning data protection.
- Discover if this product is right for your business or project.
- Receive directions on cost, duration, and other details.
