Codes of conduct

The ICO is committed to encouraging the development of codes of conduct and will provide advice and support from the start on: 

• meeting the necessary criteria;
• the requirements of the UK GDPR; and
• complex areas of data protection.

We welcome informal discussions with organisations as part of your development of your code of conduct and prior to formal submission. You are therefore strongly encouraged to contact us at [email protected].

About this detailed guidance

This guidance discusses codes of conduct in detail. Read it if you have detailed questions not answered in the guide, or if you need a deeper understanding. This guidance will be useful for organisations considering writing, monitoring or signing up to a code of conduct.

If you haven’t yet read the codes of conduct 'in brief' in the guide, you should read that first. It sets out the key points you need to know regarding codes of conduct.

How do we develop a code of conduct

• Who can create a UK GDPR code of conduct?
• At what stage can our sector engage with the ICO?
• How can we apply to the ICO to have our code of conduct approved?
• What supporting documents do we need to include with the application?
• What are the code of conduct approval requirements?
• What happens to the application?
• What is a full code review?
• What are the possible outcomes of the full code review?
• How long does it take to get a code approved by the ICO?
• Will the ICO register and publish approved codes on the website?
• What is the register of code of conduct members?
• What is the code of conduct review process?
• How should a code owner report to the ICO?
• How is code members’ compliance monitored?
• What is the difference between ICO-approved UK GDPR codes of conduct and ICO statutory codes of practice?
• We are reviewing our existing code of conduct. Can we amend it to comply with UK GDPR requirements?
• Could there be a multiple ICO-approved UK GDPR codes of conduct in one sector?
• Are cross-sector codes allowed?
• Are we a public authority under the UK GDPR?

How do we gain monitoring body accreditation?

• What are the accreditation requirements?
• What supporting documents are required?
• How can we demonstrate independence for an internal monitoring body?
• What is the monitoring body assessment process?
• What are the timescales?
• What is the code review process?
• What are the reporting requirements to the ICO?
• Can a monitoring body be added to a code of conduct later on?
• What about complaints?
• What about appeals?
• Could a monitoring body be fined for infringements made by code members?
• Can the monitoring body accreditation be revoked?
• How do we apply for accreditation?

How do we become a code member?

• What are the practical implications for our organisation?
• What are the requirements?
• Can we sign up to a code when we’re working towards meeting the code requirements?
• If we sign up to a UK GDPR code of conduct can we get fined for not complying with the code rules?
• Do we get a badge if we sign up to a code?
• What if we feel that there is a requirement for a code in our sector?
• How can we sign up?

Submission and application

• Submit your code of conduct

ICO-approved UK GDPR codes of conduct

• ICO register of UK GDPR codes of conduct