Skip to main content
Home

How do we become a code member?

Contents

At a glance

Signing up to a code of conduct is voluntary. However, if your sector develops a data protection code of conduct (or if there is one relevant to your data processing activities), you could become a code member. Code membership can:

  • help you achieve better data protection compliance, knowing that you’re meeting best practice standards in your sector or area of processing;
  • help you promote a consistent and efficient approach to common data protection issues as set out in the code;
  • demonstrate that you’re accountable and transparent in the way that you apply data protection law;
  • demonstrate that you have appropriate safeguards to improve people’s trust and confidence in how you will handle their information;
  • help you to address the risks associated with the type of processing you’re doing (eg a code may contain more demanding requirements when it relates to high-risk processing or processing of special category data); and
  • provide a competitive advantage from a contract tendering or customer perspective.

In detail

 

What are the practical implications for our organisation?

You could sign up to a code of conduct which is relevant to your sector, profession or processing activities. 

For UK GDPR and PECR codes, once you have been assessed as adhering to the code, your compliance with the code will be monitored regularly. This provides assurance that your compliance with the code requirements is being measured. 

Your membership can be withdrawn if you no longer meet the code’s requirements, and the monitoring body must notify us of this.

When engaging processors, you could consider whether they are signed up to a relevant code of conduct as part of your due diligence when entering into a contract.

DPA part 3 codes set out expectations about membership and procedures for monitoring compliance.

Will the ICO consider our code membership as a mitigating factor in the event of an investigation?

Yes, in some circumstances. Our regulatory approach encourages and rewards compliance. When considering regulatory action, organisations can expect us to take it into account if they:

  • self-report;
  • work with us to resolve issues; and
  • can demonstrate strong information rights accountability arrangements.

Being a member of an ICO-approved code of conduct is a way of demonstrating accountability and compliance with the law for a specific processing activity.

We are likely to consider code membership as a mitigating factor if you followed the code requirements and took all reasonable steps to prevent non-compliance.

However, if you did not follow the requirements, and this caused or contributed to the compliance issue, we may consider this as an aggravating factor. In such cases, this may result in your code membership being suspended or revoked.

Codes of conduct set requirements for best practice in a particular area. Therefore, becoming a code member and adhering to these requirements should significantly reduce the risk of non-compliance and the risk of us taking corrective action.

In the event of non-compliance, your code membership will be a relevant factor when we decide what, if any, regulatory action is appropriate.

When considering action, we take a case-by-case approach. We look at several factors, including whether you have adhered to the code of conduct.

Read our Regulatory action policy for further information.

How can we sign up?

The requirements for code membership are set out in each code of conduct. These vary depending on the sector or profession and the code’s complexity. 

You will be required to comply with all relevant elements of a code of conduct to become a code member. Your compliance will be regularly monitored.  

We recognise that in some circumstances, code members may need some time to implement code requirements before your compliance can be monitored.

If this is the case, the code will outline how you will move from working towards compliance to being fully compliant and how this will be managed (including by the monitoring body, where required). 

You can find details of approved codes of conduct in the register of codes of conduct.

If there is an approved code for your sector or area of processing, you should contact the relevant code owner or monitoring body.

If there are no approved codes of conduct, and you feel that there are common data protection issues in your sector or profession, you could contact your professional association or representative body to see if they are interested in developing one. 

You could raise awareness of the issues and discuss the benefits of developing a code to address them.

How will people know we’re a code member?

By signing up to a code of conduct, you’re showing that you’re complying with your obligations under data protection law. We publish all codes of conduct on our website. 

Depending on the code, members may be able to display some form of visual symbol provided by the code owner, showing that they are a code member.

Your customers may be able to view your code membership on the code owner’s webpage, depending on the type of code.

Key/Relevant provisions in the UK GDPR/DPA