The ICO is committed to encouraging the development of codes of conduct and will provide advice and support from the start on:
- meeting the necessary criteria;
- the requirements of the GDPR; and
- complex areas of data protection.
The ICO welcome informal discussions with organisations as part of your development of your code of conduct and prior to formal submission. You are therefore strongly encouraged to contact ICO at [email protected].
About this detailed guidance
This guidance discusses codes of conduct in detail. Read it if you have detailed questions not answered in the guide, or if you need a deeper understanding. This guidance will be useful for organisations considering writing, monitoring or signing up to a code of conduct.
If you haven’t yet read the codes of conduct ‘in brief’ in the guide, you should read that first. It sets out the key points you need to know regarding codes of conduct.
How do we develop a code of conduct?
At a glance
A GDPR code of conduct must be submitted to the ICO by a ‘code owner’ who owns the code on behalf of a category of controller or processors. If you are a trade association or body representing a sector and are interested in developing a code of conduct please contact ICO at [email protected].
A ‘code owner’ is an association or body who creates and submits their code of conduct. Examples of code owners include:
- an association/consortium of associations or other bodies representing categories of controllers or processors;
- a sectoral organisation;
- trade or representative associations;
- academic associations; or
- interest groups.
The code owner must demonstrate to the ICO that they:
- are able to speak on behalf of a group of organisations;
- have the necessary experience within their sector; and
- understand the needs of the organisations.
We will provide advice and support to sectors from the start. You are therefore strongly encouraged to contact the ICO during the development stage of your code of conduct, prior to any formal submission, to ensure that when drafting the code, you are meeting the necessary criteria and understand the requirements of the GDPR. Please contact ICO at [email protected].
If you are ready to submit your application, it may help you to complete the questions on the submission page. This will ensure that you have met the criteria for approval and have all relevant supporting documentation before applying.
You can then download and complete the online application form, attach all supporting documentation and submit it to [email protected].
We will check that you have fully completed your application form and as a minimum we expect copies of any documentation that you refer to within the code, such as guidance or processing documents.
We also expect copies of any other relevant supporting documents, for example:
- evidence to support your status within your sector;
- evidence to support that as a code owner you are able to speak on behalf of a group of organisations. For example, by providing details of your reputation or experience within the sector, and/or the number or percentage of potential code members expected to sign up to the code;
- evidence to demonstrate that you have consulted with relevant parties such as stakeholders, clients, the public or others as relevant. You should provide evidence of the consultation and the outcomes;
- references to or details of any other national legislation relevant the code; and
- supporting documents for any required code monitoring body, to ensure that the body meets the ICO accreditation (approval) criteria. You can find further details of what supporting documentation is required by reading the information on ‘How do we gain monitoring body accreditation?’.
If you are uncertain what documents you need to provide, please contact ICO at [email protected].
You should ensure that your application demonstrates how the code of conduct meets the following key requirements:
- It is prepared and submitted by a trade body, representative organisation, or other body representing categories of controllers or processors. A code owner must demonstrate that they are able to speak on behalf of a group of organisations, have relevant experience and understand the needs of the organisations.
- It must contain a statement detailing the key issues which the code addresses, the processing activity/activities, the types of data, the data protection risks involved with the processing and what safeguards have been put into place within the code.
- It details the processing operations that it covers and areas it intends to address such as those listed in Article 40(2).
- It specifies whether it is a national code or a code which covers processing activities in more than one member state.
- It is submitted to the correct Supervisory Authority, taking into account the location of the headquarters of code owners and monitoring body and also location of the processing activity/sector/data subjects.
- It describes the mechanisms for monitoring compliance with the code, including structures and procedures for the investigation and management of code infringements and details of corrective measures.
- Where processing activities relate to private/non-public authorities, it identifies an appropriate monitoring body and contains sufficient detail to satisfy the ICO monitoring body assessment criteria and also sets out the provisions to address a situation where the monitoring body has its accreditation revoked.
- It details the consultation that has taken place with potential code members, stakeholders, data subjects or other relevant bodies.
- It provides confirmation that the code of conduct complies with any relevant national legislation.
- The ICO application form has been fully completed and all relevant documentation is attached to the code on submission.
The ICO will acknowledge receipt of your application and conduct an assessment of your code of conduct to ensure that you have met the initial criteria for approval (as outlined above).
If the triage requirements are met, we will write to you confirming that you will proceed to a full code review. If partially met, we will give you further advice. If not met, we will notify you that the code is currently unfit for further assessment.
The ICO will keep you regularly updated and allow you an opportunity to discuss any matters.
The ICO Code Assessment Group (made up of internal staff with relevant sectoral or technical expertise) carry out a full review to decide whether the code of conduct:
- demonstrates a need for the code within that sector or processing activity;
- addresses the specific needs of the sector whilst demonstrating a practical understanding of the GDPR;
- provides specific industry improvements on particular data protection areas;
- provides suitable and effective safeguards against the risks with data processing; and
- provides mechanisms to ensure that compliance with the code of conduct is appropriately monitored.
The Code Assessment Group will produce a report recommending either:
- code approval;
- amendments to the code; or
- code rejection.
If they recommend approval, we will inform you and provide a code of conduct approval report.
If the code of conduct requires amendments, you will receive a written report outlining reasons for non-approval and providing further advice.
You may be given an opportunity to attend a meeting with the Code Assessment Group to help clarify any matters. We will advise you about any necessary amendments and re-submission.
If we reject the code, you will receive a report highlighting the issues or queries raised by the Code Assessment Group and the reasons why there is doubt on the content or use of the code.
Once the code of conduct is formally submitted, we anticipate that the process should take approximately 8-12 weeks, depending upon the nature, completeness and complexity of the code.
Yes. The ICO will register and publish UK national codes approved by the ICO on its website, including the name of code owner, the code title, sector, and the date and version of the code that we have approved.
We may also notify the European Data Protection Board to update their register of all approved codes of conduct.
You should keep an easily accessible and publicly available list of your code members. We will expect you to keep this list up to date and make any amendments immediately and without delay.
You should periodically review the code of conduct to ensure that it remains relevant and up to date. If you need to make any amendments or extensions to the code, you should let the ICO know in writing at [email protected].
The ICO must approve further amendments or extensions to the code or changes or additions to the monitoring bodies.
The code owner should send the ICO an annual report which includes:
- a list of current code members;
- any new members;
- information concerning code member breaches of code requirements;
- details of any members suspended or excluded in the last 12 months; and
- outcomes of the code review.
All codes of conduct must contain ways to effectively monitor compliance by code members.
For codes covering private or non-public authorities, the code of conduct needs to identify an appropriate monitoring body and provide sufficient detail to demonstrate that the body meets the accreditation requirements and any other requirements outlined in the code.
The purpose of the monitoring body is to ensure code members comply with the code. Monitoring bodies are accredited (approved) by the ICO on the basis of meeting all accreditation requirements. The code should also outline alternative ways to monitor compliance if the monitoring body has its accreditation removed.
An ICO-approved GDPR code of conduct is written by a body able to legitimately speak on behalf of a group of organisations, such as a trade or representative body. It should provide a detailed description of what the GDPR means in practice for the organisations it covers, focusing on key data protection priorities and challenges that they are facing. It should outline technical and organisational measures that controllers and processors must have in place in order to be a member of the code of conduct. Organisations’ compliance with the code will be monitored.
ICO statutory codes of practice are written by the ICO to address key strategic areas, set out in the Data Protection Act 2018. They are approved by the Secretary of State and laid before Parliament. Codes of practice provide practical guidance to organisations about how to comply with data protection legislation with regards to a particular topic.
Yes. You need to review and evaluate any existing codes of conduct you have in line with the requirements of the GDPR. You can submit them to the ICO for approval, if you want them to be considered as an ICO-approved GDPR code of conduct.
Please note that your code needs to address particular data protection areas and issues that your sector faces and not simply repeat the GDPR.
The ICO will provide advice and support to sectors wishing to develop a code of conduct and you are strongly encouraged to contact the ICO during the development stage of your code of conduct, prior to any formal submission.
Yes. There can be multiple codes in a sector as long as they:
- satisfy the criteria for approval;
- cover different personal data processing areas and scope; and
- are clear about what organisations within the sector they apply to.
Where two codes are covering the same area in the same sector, we will check that they are suitably representative and consider if there should just be one code.
A draft code must contain information regarding the extent of consultation carried out with stakeholders and individuals. This will include, where relevant, information about how the code complements other codes already approved. Code owners are also required to demonstrate the need for a code and what added value it provides.
Cross-sector codes are possible (such as Human Resources or IT professionals working across multiple economic sectors) if the code owner can demonstrate that the organisations covered have a common processing activity and share the same processing needs. In these circumstances suitable organisations such as an HR professional body or IT association will need to develop the codes.
It may be the case that more than one monitoring body may need to be accredited if a cross-sector code applies to more than one category of data controllers and or representative organisation. In these circumstances, the code should clearly outline the accreditation requirements for each monitoring body and also state which data controllers each monitoring body will perform its functions on.
Section 7 of the DPA 2018 defines a public authority for the purposes of the GDPR.
It says that the following (and only the following) are ‘public authorities’:
- a public authority as defined by the Freedom of Information Act 2000;
- a Scottish public authority as defined by the Freedom of Information (Scotland) Act 2002; and
- an authority or body specified or described by the Secretary of State in regulations.
They are only public authorities for GDPR purposes when they are performing a task carried out in the public interest or in the exercise of official authority vested in them.
However, section 7(3) of the DPA 2018 says that the following are not public authorities for the purposes of the GDPR:
- a parish council in England;
- a community council in Wales;
- a community council in Scotland;
- a parish meeting constituted under section 13 of the Local Government Act 1972;
- a community meeting constituted under section 27 of that Act; and
- charter trustees constituted;
- under section 246 of that Act,
- under Part 1 of the Local Government and Public Involvement in Health Act 2007; or
- by the Charter Trustees Regulations 1996.
While these are not public authorities for GDPR purposes, this does not affect their status as a public authority under any other legislation.
How do we gain monitoring body accreditation?
At a glance
All codes of conduct, whether public or private, must contain suitable ways to effectively monitor compliance with the code and take appropriate action in cases of infringement. These methods need to be clear and efficient.
Codes of conduct covering private or non-public authorities must also identify a monitoring body who will fulfil the monitoring requirements. This body can carry out compliance monitoring against a code of conduct where it has appropriate expertise and is accredited (approved) to do so by the ICO.
Monitoring bodies may be:
- internal - they may be a separated, independent part of the code author organisation; or
- external they could include audit, monitoring, consultancy or other bodies, as long as they fully meet all the accreditation requirements.
You must submit all applications for monitoring body accreditation in English or Welsh with all supporting documents to the ICO and must demonstrate that as a monitoring body you:
- are appropriately independent from code owners considering specifically your legal and decision-making procedures, financial, organisational and accountability arrangements;
- can act free from sanctions or external influence to ensure that no conflict of interest arises;
- have the required knowledge and expertise;
- have established procedures, structures and resources for the monitoring of compliance with the code;
- have an open and transparent complaints handling and appeals process to receive, evaluate, track, record and resolve complaints and appeals;
- will communicate to the ICO any code member infringements that lead to suspensions or exclusions and any substantial changes to your own status;
- will review the code to ensure that it remains relevant and up to date; and
- have appropriate legal status.
There are a number of requirements that you need to meet in order to gain ICO accreditation and these are set out in further detail within the accreditation requirements document (external link).
You need to provide evidence to support how you meet the criteria set out above and in particular that:
- you are independent from the code owner and code members, for example, information barriers, separate reporting management structures, formal rules and procedures for staff appointment, etc;
- you have a risk assessment process to ensure that no conflict of interest arises;
- you have an in-depth understanding, knowledge and experience of the specific data processing activities outlined in the code, the sector and required data protection expertise. This could include but is not limited to evidence to support your status as a trade association/representative body, your personnel training/qualifications and evidence requirements as outlined in the code of conduct;
- your procedures and structures allow you to assess the eligibility of code members to comply with the code, provide monitoring over a defined period and evidence of your procedures for management of code member infringements;
- you have a complaints handling process for complaints about code members, complaints against yourself and your appeals handling process;
- you have a process for communicating suspensions or exclusions of code members to the ICO and process for reporting substantial changes to the ICO;
- you have plans and procedures to review the operation of the code, provide the code owner with an annual report on the code’s operation and apply code updates as instructed by the code owner; and
- your legal status ensures that you have the appropriate standing to meet the requirements of being fully accountable in your role and have sufficient financial and other resources to fulfil your monitoring responsibilities.
A code owner will have to demonstrate how the monitoring body can remain impartial from, code members, the profession, industry or sector to which the code applies.
How this will work in practice will vary depending on the code topic, the sector and the organisations involved so there is no universal approach to demonstrating independence.
Code owners will need to consider the risks to impartiality and demonstrate how they will minimise or remove these risks on an ongoing basis.
We expect that in some cases existing models of self-regulation or co –regulation familiar to representative bodies and trade associations may be adapted to meet these requirements. Existing good practice in these areas could all help to prove impartiality, such as:
- being able to evidence the ability to act free from inappropriate influence;
- separate decision-making arrangements;
- separate staff and governance reporting lines;
- separate funding arrangements or budget management; and
- technical measures, such as information barriers.
We anticipate that the monitoring body accreditation will take place at the same time as the code of conduct approval. However, there will be two separate application processes for monitoring body accreditation and code of conduct assessment.
A monitoring body will need to make an application for accreditation to ensure that these requirements are met.
The ICO will fully review the application form to ensure that it meets all accreditation requirements. If further information is required, we will request this from the code owner or the monitoring body, as appropriate.
The ICO will notify you in writing whether the accreditation requirements have, or have not been met, with reasons to support the conclusion.
In most cases the accreditation of a monitoring body will take place alongside the approval of a code of conduct. Therefore, we anticipate that once the application for monitoring body accreditation is formally submitted, the process should take no longer than 8-12 weeks.
A code owner should review the code of conduct to ensure that its content remains relevant and up to date. The monitoring body will contribute to this review, as required by the code owner. You should therefore document plans and procedures which include providing the code owner with an annual report on the operation and relevance of the code.
If the code owner needs to make any amendments or extensions to the code, they should let the ICO know in writing at [email protected].
You are required to notify the ICO of any suspensions or exclusions of code members. It is envisaged that suspension or exclusion of code members will only apply in serious circumstances and code members will first have the opportunity to take suitable corrective measures. You are required to immediately notify the ICO of:
- any suspensions or exclusions of code members, providing a summary outlining details of the infringement and reasons for the action taken, in line with the suspension/exclusion process’
- any procedure for lifting suspension or exclusion of a code member.
You should also notify the ICO immediately and without delay about any substantial changes to your ability to function independently and effectively, your expertise and any conflict of interest. Substantial changes will result in a review of your accreditation. Substantial changes may include changes to:
- legal, commercial, ownership or organisational status and key personnel;
- resources and location(s); and
- any changes to the basis of meeting any of the accreditation requirements.
A code of conduct for a private/non-public authority cannot be approved without a monitoring body accredited by the ICO. However if you wish to add an additional monitoring body after the code has been approved you will be required to make a separate application for accreditation and demonstrate that the new body meets all the monitoring body accreditation requirements, as described above.
You should have a documented process to receive, evaluate and make decisions on complaints received about code members and complaints made about your own activities.
The ICO expects that any complaint is first addressed by you, even if it was directed to us. We normally expect you to resolve non-complex complaints within three months.
Your complaints handling process should be clear, transparent, publicly available and should meet the requirements for accreditation. This includes a requirement to maintain a record of all complaints and the actions taken, which the ICO can access at any time.
You should have a documented process to receive, evaluate and make decisions on appeals that may be made by a code member or potential code member concerning membership, suspension or exclusion. This process should be clear, transparent, publicly available and meet the requirements for accreditation.
No, a monitoring body is responsible for checking code members’ compliance with the code requirements.
A monitoring body could be fined for GDPR infringements in its own capacity as a data controller but is not responsible for the GDPR fines of a code member.
Under Article 41(5) the ICO must revoke (withdraw) the accreditation of a monitoring body if the requirements for accreditation are either not met, no longer met, or where actions taken by the body infringe the GDPR.
The consequences of revoking the accreditation of the monitoring body will be the suspension, or permanent withdrawal, of the monitoring body from the code. This may adversely affect the compliance, reputation or business interests of code members, and may result in a reduction of trust by their data subjects or other stakeholders.
Where possible, before revoking accreditation, the ICO will provide the opportunity to address issues, or make improvements as appropriate, within an agreed timescale.
Revocation of accreditation of a monitoring body may apply in a number of serious circumstances, for example:
- contravention of key monitoring body requirements such as seriously breaching their expected independence and expertise, serious conflict of interest issues, or absent monitoring of code member compliance;
- unacceptable volumes / nature of complaints about the monitoring body, received from code members or others, or the monitoring body’s lack of action in addressing complaints about their code members; and
- other serious or adverse activities undertaken by the monitoring body, as disclosed by the press or other public platform, which brings the body into disrepute.
You should have already spoken with the code owner regarding the code for which you will become the monitoring body. If you have already made contact with the ICO for an informal discussion regarding your accreditation and you are ready to make an application please complete the application form below and submit to ICO via [email protected].
How do we become a code member?
At a glance
Signing up to a code of conduct is voluntary. If a GDPR code of conduct is developed in your sector that is relevant to your data processing activities, you should consider signing up. Code membership and compliance can:
- help you achieve better data protection compliance, knowing that you are meeting best practice standards in your sector;
- help you promote a consistent and efficient approach to common data protection issues in areas such as fair and transparent processing, security and legitimate interests;
- demonstrate that you are accountable and transparent in the way that you apply the GDPR;
- demonstrate that you have appropriate safeguards to improve the trust and confidence of the general public about what happens to their personal data;
- help you to address the type of processing you are doing and the related level of risk. An example is a code may contain more demanding requirements when it relates to processing of sensitive special category personal data; and
- provide a competitive advantage from a contract tendering or customer perspective.
- You can sign up to a code of conduct relevant to your data processing activities or sector. This could be an extension or an amendment to a current code, or a brand-new code.
- People who access your services will be able to view your code membership on the code’s webpage.
- Your compliance with the code will continue to be monitored on a regular basis after the initial assessment. This monitoring provides assurance that the code members can be trusted. Your membership can be withdrawn if you no longer meet the requirements of the code, and the monitoring body will notify us of this.
- When contracting work to third parties, you may wish to consider whether they have signed up to a code of conduct, as part of meeting your due diligence requirements under the GDPR.
The requirements for code membership will be set out in the code itself. They will vary depending on the sector and complexity of the code. You must be able to comply with all mandatory elements of a code of conduct before signing up to it as your compliance will be regularly monitored.
We recognise that we will need to allow members some time to implement the code requirements before the monitoring body can monitor compliance.
The code will outline how you will move from working towards compliance to being fully compliant and how the monitoring body will administer and communicate this.
The ICO can take enforcement action against organisations and individuals that have infringed the GDPR and will use enforcement powers where they are effective and proportionate. However, we may take into account an organisation’s membership of a code and lack of required compliance with it when considering enforcement action.
Read ICO Regulatory Action Policy for further information.
By signing up to a GDPR code of conduct you are showing that you can effectively apply the GPDR. All GDPR codes of conduct will be registered by the ICO and published on the ICO website. Depending on the how the code has been constructed, it may be that those signing up to the code are able to display some form of visual symbol that they are a member of that code.
If you feel that there is a common data protection issue in your sector you should contact a relevant trade association, representative body or body able to legitimately speak on behalf of organisations like you. You can raise awareness of the issue and discuss the benefits of developing a code to address it.
The ICO has not yet formally approved any codes of conduct. You may wish to contact your trade association, representative body or a body able to legitimately speak on behalf of organisations like you to discuss whether they are developing a code in your sector.
Submit your code of conduct
We appreciate that developing a code of conduct can be a complex process. The ICO application process will outline if you are at the right stage to formally submit a code of conduct. The ICO also welcome informal discussions with organisations as part of their development phase. You can contact ICO at [email protected].
ICO register of UK-approved GDPR codes of conduct
There are no approved GDPR codes of conduct at the moment, but we are actively working with various sector bodies and associations to assist them in developing codes of conduct and are keen to talk to others who may be considering development of a code.
The ICO will publish further information once codes of conduct are approved.
Thank you for reading.