The TikTok implications for your organisation

We consider £27 million worth of reasons as to why certain UK GDPR principles are important, not only for TikTok (which is in the spotlight), but also for your organisation.

What's happened?

The Information Commissioner’s Office (ICO) has taken a provisional view that TikTok Inc and TikTok Technologies UK Ltd (TikTok) may have breached data protection laws, by potentially failing to protect children’s privacy between May 2018 to July 2020. 

TikTok is known globally for its online platform which allows individuals to create and share short video clips. As a result, it attracts the interests of all types of users, including children.

It is this latter category of users which has attracted the attention of the ICO. The ICO’s investigation into TikTok’s personal data processing activities has led the ICO to raising provisional concerns that TikTok may have:

  1. processed the personal data of children under the age of 13 without appropriate parental consent
  2. failed to provide proper information to its users in a concise, transparent, and easily understood way
  3. processed special category personal data without legal grounds to do so


Currently, the ICO’s provisional findings have only led to a 'notice of intent' to TikTok rather than an actual fine. The ICO is keen to stress that pending the ICO’s final decision, it is not conclusive that there has been a breach of data protection laws by TikTok, nor that the financial penalty will in fact be imposed. As to what follows now is the opportunity for TikTok to respond with its representations which the ICO will consider before making a final decision. However, this is clearly an important investigation, considering that the ICO has highlighted that the potential fine which may be imposed by it, could be £27 million.

Key points for organisations

Although the TikTok investigation has clear implications for those organisations which are processing personal data of children, there are wider key points for organisations to consider. As this is a timely reminder that:

  • Information needs to be processed in accordance with the UK GDPR which includes the UK GDPR principles of processing personal data in a lawful, fair and transparent manner.
  • The ‘lawfulness’ principle under the UK GDPR requires personal data to be processed in a way which accords with one of the six lawful bases under the UK GDPR, whilst also ensuring that the personal data is not being processed in breach of any other laws.
  • The ‘fairness’ principle under the UK GDPR requires personal data to be processed in a way that would not be misleading or unexpected from the respective individual’s (namely, the data subject’s) perspective. Furthermore, the processing must not be unduly detrimental, taking into account the purposes of the processing which have been communicated to the data subject.
  • The ‘transparency’ principle under the UK GDPR requires that there is clear, open and honest communication from the outset as to how data subjects’ personal data will be processed.
  • Processing of children’s personal data requires additional safeguards (under the UK GDPR as well as the Age Appropriate Design Code), especially when it comes to: consent requirements, communicating information in a transparent manner (ensuring that it can be understood by a child of that age group), and ensuring that any processing activities (including data sharing and marketing) are cognisant of the fact that the individual is a child rather than an adult. 
  • Organisations need to be mindful of whether they are processing special categories of personal data, which by their very nature are more sensitive and therefore require additional safeguards, when it comes to processing it.

How we can help

Digital platforms can give rise to various legal considerations, including:

  • Undertaking Data Protection Impact Assessments (DPIAs)
  • Producing Privacy Notices
  • Producing Cookies Notices
  • Having appropriate consent arrangements
  • Factoring in the Age Appropriate Design Code requirements
  • Putting in place appropriate third party technology service provider contracts
  • Putting in place appropriate end user terms and conditions

Mills & Reeve’s national IT and data protection law team can assist your organisation with all of these and other legal requirements.

Please contact Jagvinder Singh Kang to arrange an initial consultation call.

Our content explained

Every piece of content we create is correct on the date it’s published but please don’t rely on it as legal advice. If you’d like to speak to us about your own legal requirements, please contact one of our expert lawyers.

Mills & Reeve Sites navigation
A tabbed collection of Mills & Reeve sites.
My Mills & Reeve navigation
Subscribe to, or manage your My Mills & Reeve account.
My M&R


Register for My M&R to stay up-to-date with legal news and events, create brochures and bookmark pages.

Existing clients

Log in to your client extranet for free matter information, know-how and documents.


Mills & Reeve system for employees.