Must, should, could - using this guidance to comply

To help you to understand the law and good practice as clearly as possible, this guidance says what organisations must, should, and could do to comply.

Legislative or legal requirements

Must refers to:

legislative requirements within the ICO’s remit; or
established case law (for the laws that we regulate) that is binding.

Good practice

Should does not refer to a legislative requirement, but what we expect you to do to comply effectively with the law. We expect you to do this unless there is a good reason not to. If you choose to take a different approach, you need to be able to demonstrate that this approach also complies with the law.
Could refers to an option or example that you may consider to help you to comply effectively. There are likely to be various other ways for you to comply.

This approach only applies where indicated in our guidance. We will update other guidance in due course.