Under the GDPR, trade associations and other representative bodies may draw up codes of conduct that identify and address data protection issues that are important to their members, such as fair and transparent processing, pseudonymisation or the exercise of people’s rights. They are a good way of developing sector-specific guidelines to help with compliance with the GDPR. There is a real benefit to developing a code of conduct as it can help to build public trust and confidence in your sector’s ability to comply with data protection laws.
The ICO is committed to encouraging the development of codes of conduct and will provide advice and support from the start on:
- meeting the necessary criteria;
- the requirements of the GDPR; and
- complex areas of data protection.
The ICO welcomes informal discussions with organisations as part of your development of your code of conduct and prior to formal submission. Please read ICO detailed guidance pages for further information.
At a glance
- Codes of conduct enable a sector to own and resolve key data protection challenges. The ICO see these as a way of demonstrating accountability and encourage trade associations and bodies who are able to speak on behalf of a group of organisations, to create codes of conduct.
- Using an ICO approved code of conduct give assurance that the code and its monitoring is appropriate and will help you to apply the GDPR effectively.
- Codes of conduct should reflect the requirements of different processing sectors and takes account of the specific needs of small and medium sized enterprises.
- Trade associations or bodies who are able to speak on behalf of a group of organisations can create, amend or extend codes of conduct to help their sector comply with the GDPR in a practical, transparent and cost-effective way.
- Signing up to a code of conduct is voluntary. However, if there is an approved code of conduct, relevant to your processing, you should consider signing up.
- A code of conduct can help you to reflect on your processing activities and ensure you follow rules designed for your sector to achieve best practice.
- A draft code of conduct must be submitted to us for approval and will be assessed against specific criteria to ensure that it meets the expected standard.
- A code of conduct will describe the appropriate monitoring mechanisms and (where applicable) the monitoring bodies that will be accredited to monitor compliance as part of the code approval process.
In brief
Codes of conduct help you to apply the GDPR effectively and allow you to demonstrate your compliance.
-
What are codes of conduct?
Codes of conduct are voluntary accountability tools, enabling sectors to identify and resolve key data protection challenges in their sector with assurance from ICO that the code, and its monitoring, is appropriate. They can help you to reflect on your processing activities and ensure you follow rules designed for your sector to achieve good practice. They are written by an organisation or association representing a sector in a way that the sector understands and enable sectors to solve these challenges with advice and support from the ICO.
By signing up to a code of conduct, controllers and processors can ensure they apply the GDPR effectively and in doing so establish operational norms in compliance that ultimately should assist in bringing down levels of non-compliance. Codes of conduct require a monitoring method, and for private or non-public authorities, a monitoring body to deliver them.
-
Why sign up to a code of conduct?
Adhering to a code of conduct shows that you:
- follow GDPR requirements for data protection that have been agreed as good practice within your sector; and
- are appropriately addressing the type of processing you are doing and the related level of risk. For example, a code may contain specific sectoral requirements when it relates to processing of sensitive special category personal data.
Adhering to a code of conduct could help you to:
- be more transparent and accountable;
- take into account the specific requirements of processing carried out in a sector and improve standards by following best practice in a cost-effective way;
- promote confidence and in a sector by creating effective safeguards to mitigate the risk around processing activities;
- earn the trust and confidence of data subjects and promote the rights and freedoms of individuals;
- help with specific data protection areas, such as breach notification and privacy by design; and
- improve the trust and confidence in your organisation’s compliance with GDPR and of the general public about what happens to their personal data.
-
What should codes of conduct address?
Codes of conduct should help you to comply with the GDPR, and may cover topics such as fair and transparent processing, legitimate interests, pseudonymisation or alternative, appropriate data protection processing issues.
Codes of conduct should also reflect the specific needs of controllers and processors in small and medium enterprises and help them to work together to apply GDPR requirements to specific issues that they face.
Codes should provide added value for their sector, as they will tailor the GDPR requirements to the sector or area of data processing. They could be a cost-effective means to enable compliance with GDPR for a sector and its members.
-
Who is responsible for codes of conduct?
Trade associations or bodies who are able to speak on behalf of controllers or processors can create a code of conduct in consultation with relevant stakeholders, including the public where feasible. They can amend or extend existing codes to comply with GDPR requirements. They have to submit the draft code to us for approval.
We encourage the creation of codes of conduct by actively engaging with sectors to encourage development and uptake of codes of conduct where the sector would benefit. We will also support organisations who approach the ICO with a proposal for a code of conduct.
We will:
- Provide advice and guidance to bodies considering or developing a code;
- check that codes meet the code criteria set out below;
- accredit (approve) monitoring bodies;
- approve and publish codes of conduct; and
- maintain a public register of all approved UK codes of conduct.
-
How will the ICO approve a code of conduct?
All codes of conduct received will be assessed against the following criteria to ensure that the code submission addresses the following:
- Outlines the code owner’s ability to represent controllers or processors covered by the code.
- Includes a concise statement explaining the purpose of the code, the benefits to members and how it effectively applies the GDPR.
- Identifies processing operations that the code covers and the categories of controllers or processors that it applies to as well as what the data protection issues are that it intends to address.
- Identifies suitable monitoring methods to assess code member compliance with the code.
- Identifies the monitoring body and its legal status (only required for codes covering non-public authorities).
- Outlines the stakeholder consultation and outcomes.
- Complies with other relevant national legislation, where required.
- Specifies whether it is a national code or a code which covers processing activities in more than one member state.
- is submitted to the correct Supervisory Authority, taking into account the location of the headquarters of code owners and monitoring body and also location of the processing activity/sector/data subjects.
-
How will compliance with the code be monitored?
All codes of conduct must contain suitable methods to allow for effective monitoring of code member compliance and outline appropriate action in cases of infringement. In all cases these methods will need to be clear, suitable and efficient.
Codes of conduct covering the private sector, or any non-public bodies will also have to identify a monitoring body to fulfil the code monitoring requirements. Monitoring bodies must be accredited (approved) by the ICO.
-
How to become a monitoring body
There are a number of requirements that should be met in order for a monitoring body to gain ICO accreditation. Code owners will need to demonstrate as a minimum how their proposed monitoring body:
- Is independent from code owners.
- Can act free from sanctions or external influence to ensure that no conflict of interest arises.
- Has the required knowledge and expertise.
- Has established procedures and sufficient resources for the monitoring of compliance with the code.
- Has an open and transparent complaints handling process.
- Will communicate to the ICO infringements that lead to suspensions or exclusions of code members.
- Will review the code to ensure that the code remains relevant and up to date.
- Has appropriate legal status.
The ICO accreditation requirements have now been adopted by EDPB and can be found here. You can also find out more about monitoring body accreditation on our detailed guidance pages.
-
How can we demonstrate independence for an internal monitoring body?
A code owner will have to demonstrate how the monitoring body can remain impartial from, code members, the profession, industry or sector to which the code applies.
How this will work in practice will vary depending on the code topic, the sector and the organisations involved so there is no universal approach to demonstrating independence.
Code owners will need to consider the risks to impartiality and demonstrate how they will minimise or remove these risks on an ongoing basis.
We expect that in some cases existing models of self-regulation or co –regulation familiar to representative bodies and trade associations may be adapted to meet these requirements. Existing good practice in these areas could all help to prove impartiality, such as:
- being able to evidence the ability to act free from inappropriate influence;
- separate decision-making arrangements;
- separate staff and governance reporting lines;
- separate funding arrangements or budget management; and
- technical measures, such as information barriers.
-
What are the practical implications for our organisation?
- You can sign up to a code of conduct relevant to your data processing activities or sector. This could be an extension or an amendment to a current code, or a brand-new code.
- Your customers will be able to view your code membership via the code’s webpage and the ICO’s public register of UK approved codes of conduct.
- Once you are assessed as adhering to the code, your compliance with the code will be monitored on a regular basis. This monitoring provides assurance that the code can be trusted. Your membership can be withdrawn if you no longer meet the requirements of the code, and the monitoring body will notify us of this.
- When contracting work to third parties, you may wish to consider whether they have signed up to a code of conduct, as part of meeting your due diligence requirements under the GDPR.
-
How do we sign up to become a code member?
The ICO has not yet formally approved any codes of conduct. You may wish to contact your trade association/representative body or a body able to legitimately speak on your behalf to discuss whether they are developing a code in your sector.
For further information please see our detailed guidance pages.
-
Next steps
Following submission to the European Data Protection Board (EDPB) Plenary, in December 2019 the UK code of conduct monitoring body accreditation requirements were finalised. This means we can now accredit (approve) monitoring bodies and approve GDPR codes of conduct.
The ICO welcome enquiries from organisations who are considering writing, monitoring or signing up to a code of conduct, you can find out more about this on the detailed guidance pages.
We have published detailed guidance on codes of conduct.
Thank you for reading.