A trip to the zoo and data processing too

We’re a few months into the new age of data privacy under the GDPR, and much like leaving your 20’s and turning 30, apart from people saying how it’s all downhill and generally trying to make you afraid of what’s to come, not a lot has happened.

I still get contacted by companies that are inappropriately (or more excitingly, unlawfully) processing my data. I probably get more marketing emails now than before (thanks Microsoft for doing a good job of filtering the nonsense out), and we’re still getting the most basic questions asked of us on our live chat from companies that have done nothing to be GDPR compliant.

Frighteningly basic.

“Do I need to tell people I’m doing stuff with their data to make money?” basic. I haven’t yet kicked off a Subject Access Request – I’m waiting for a particularly special company for that. I don’t like admin, so don’t want to do it often.

And there I am, joining the millions of people diminishing the potential impact of the GDPR in its infancy by not respecting my data enough to make others do the same. What example am I setting companies that want to sell stuff to me by not forcing them to do as they should?

And yet, there’s a ramp up of activity from across the pond in Trump’s America. Companies telling us ‘we want to do data privacy well’ – those currently not subject to the GDPR looking to achieve the standard, where so many in the UK are working hard to avoid having to do it (like getting a 4 year old to tidy their room – little do they know that it’s more effort to argue about it rather than do it once and stay on top of it).

That award-worthy segway eases us nicely into children’s data.

Children’s Data and GDPR

It’s precious. The most precious data. It can (and often does) include special category data, as well as being data on the people we treasure most in the world. With everything we know about data profiling, selling data and all the other shadowy uses of data, what of our children?

Is my four-year-old being profiled today by companies based on my data? Probably. Where we live, where she goes to school, my self-assessment tax return… all useful to help position the right junk to sell me, or worse, getting ready to sell to her.

Tough pill to swallow thinking about companies getting ready to sell to the next generation of consumers, making decisions on what and how when they’re so young.

To those companies, stop it. You’ll have plenty of time to harvest their data (lawfully or otherwise) and use questionable marketing techniques to do what you want when they’re old enough to be independently disgruntled.

GDPR Consent in Education and Children’s Services

There is, however, a part of the world that (hopefully) doesn’t have this attitude towards our children’s data; the educators. Educators isn’t limited to schools and schoolteachers:

  • Sports clubs… gymnastics, swimming, dance and the like
  • Any after school club
  • Nurseries
  • Summer camps
  • And many more

Unlike many organisations who may only seek consent for marketing, or maybe 1 or 2 other processing activities, there’s non-GDPR ‘stuff’ that educators regularly get consent for (ye olde permission form):

  • A trip to the zoo, the title of this blog too
  • Going to forest school (if the nursery has one)
  • Applying sun cream to your child (assault if not in place so I was told last week)
  • Going in the minibus
  • Going on the high beam
  • Taking and displaying photos
  • And so on…

Familiar and stable for years. No form – no zoo, sun cream, minibus ride etc.

Consent is the appropriate lawful basis for so many of the activities our children’s data is used for by organisations we choose to share with and entrust our children to.

Now though, there are additional requirements on educators to get consent for data processing activities. Fair enough. Rinse and repeat the old process.

A few of us at Obsequio have received consent request forms, and they all had stuff in common (yes, I understand that the dataset is pretty small and it’s not necessarily representative of the UK in general). They are, as you might expect, ok(ish) with some better than others, and the odd howler.

I’ve seen a school asking for consent to report parents to the police where they suspect child abuse (I have seen this form, but won’t name the school as I don’t think it is fair to do so).

If you have a look at the ICO’s guidance on processing children’s data, much of it relates to under 13’s, but those old enough to peruse the web and its many wonders. What about those that don’t surf, or read?

The Information Commissioner launched a grant programme last year, repeating this year (if you’re reading this, the deadline has passed), and one of the key areas of interest is “Children’s’ data, age verification and parental consent verification solutions”.

Consent Management Software for Education and Children’s Services

If you’ve read any of our other blogs, they aim to give a little something back and aren’t overly sales-y about our company or product.

This one is slightly different.

There is a lot of time and effort involved in doing all the consent stuff for children. From the basic processing of data, through to permission to give certain foods and the trip to the zoo.

Our consent management software does what should be done, and what the Information Commissioner has asked for. A technology platform that lets a parent consent (or not) on behalf of their children. Make access requests and withdraw consent, on behalf of your child or children.

We are going to launch a pricing tier for education. It will be a lower cost than our commercial pricing. And I trust (as we do with all our suppliers), that our commercial customers will be happy in the knowledge that they give a little, we give a little, and educators benefit.

If you are an educator, please give us a call.

Phil Schofield

About Phil Schofield

Phil is Managing Director of Obsequio Software. He spent ten years in sales moving from car sales, through insurance brokering then four years as a contract recruiter. Knowing how much difference transparency can make to the customer experience led him to start Obsequio. Phil tackles the GDPR discussion from the customer perspective. Start there and work backwards from the customer experience to define your compliance strategy.

Leave a Reply