Protecting children’s personal data is a top priority for organisations across all sectors. Following the ICO’s recent review of children’s data processing in financial services, new guidance has been issued that offers valuable insights for any business handling young people’s information. This article explores the key lessons from the ICO’s findings and provides practical steps to help your organisation comply with UK GDPR and safeguard children’s rights.

What Can Other Organisations Learn from the ICO’s Review?

The ICO recently reviewed how financial services process children’s data. Their guidance is also relevant to any organisation handling children’s personal information. Recital 38 of the UK GDPR states that children deserve specific protection because they may be less aware of risks, consequences, and their rights.

Children’s Data Protection Guidance: Key Steps

Check Your Policies

Check your policies cover the use of children’s data. Include specific training in your staff data protection training about the use of children’s information.

Be Transparent

Ensure children can understand how your organisation is using their information. Use age-appropriate language and descriptions in your privacy notice and terms and conditions. Don’t pass your transparency responsibility onto their parents!

Be aware:

Processing of children’s data may change with their age. An organisation should be aware of this, and continue to ensure transparency.

Review Data Collection and Use

Regularly review the categories of children’s data collected and the controls in place to ensure it is limited to what is necessary, particularly for special categories of data. Ensure your RoPA (Register of Processing Activities) distinguishes where you are processing children’s and adult’s data.

Be aware:

When using Consent for processing, where parents/guardians previously provided consent on behalf of their child, you will need to keep this consent under review. As the child gets older and their ability to understand the processing increases, the consent is likely to become invalid until it is obtained from the child.

Children’s Data Rights

In responding to a request for children’s information from the child or their parent, an assessment of the child’s competence should be made. Setting an age threshold may be useful in many circumstances. However, you cannot use this to prevent children accessing their information rights unless there is good reason to think they are not competent.

Children have the same data protection rights as adults

Age Verification

Implement a robust process for verifying the age of children when this is required for the services being provided.

Contacting Children (Including Marketing)

Nothing in the UK GDPR prevents communications to children, including marketing. However, there are special protections when marketing to children such as:

Carrying out a DPIA to adequately assess the risks to them
Making sure that they are aware of, and understand their information is being used for marketing.
Making sure that they are aware they can object to marketing and how they can exercise this right
Ensuring that electronic marketing communications are compliant with the Privacy and Electronic Communications Regulations (PECR).

Be aware:

Consider the information in your communications when they are sent via their parents, to prevent disclosing information a child might not expect to be disclosed.

Act in the Best Interest of the Child

This concept should be at the forefront of considerations when making decisions about processing children’s data. This is not specifically mentioned in the UK GDPR but is in the United Nations Convention on the Rights of the Child.

The proposed Data (Use and Access) Bill

The proposed Data (Use and Access) Bill will require organisations to determine the appropriate technical and organisational safeguards when processing personal data to provide online information services that are likely to be accessed by children, to consider children’s “higher protection matters“, such as:

How children can best be protected and supported when using the services
Ensuring specific protection for children’s personal data as they may be less aware of the associated risks and consequences and of their rights in relation to such processing
Accounting for their different needs at different ages and stages of development.

Following children’s data protection guidance is essential for any organisation processing children’s personal data. By checking policies, being transparent, reviewing data use, and always acting in the best interests of the child, you can ensure compliance with UK GDPR and build trust with families and regulators.

For more information, read the full report on the ICO website: Children’s data in financial services | ICO

Detailed guidance for organisations processing children’s personal data under the UK GDPR: Children and the UK GDPR | ICO

Ready to review your data protection policies?

Contact our team today for expert support and guidance on safeguarding children’s personal data.

Article by

Gillian Dent

Risk & Compliance Consultant, Risk Evolves

May 27, 2025
Data Protection and GDPR
age verification, child data rights, children’s data, children’s data protection guidance, data protection, horizon scanning 2025, ICO, UK GDPR