Skip to main content
Home

Codes of conducts: a guide

Latest updates - last updated 5 February 2026

5 February 2026 – The Data Use and Access Act 2025 (DUAA) makes changes in relation to codes of conduct.

It allows for codes of conduct to be developed under part 3 of the Data Protection Act 2018, and under the Privacy and Electronic Communications Regulations (PECR).

It also amends article 41 of the UK GDPR to clarify when a monitoring body should tell the ICO about an infringement of a code of conduct.

We have updated our guidance to reflect these changes.

Associations or other bodies develop codes of conduct to provide specific guidelines for data protection issues that are important to their members. They help organisations comply with data protection law, building public trust and confidence in their ability to do so. Code owners are responsible for developing and submitting a code of conduct to us for approval.

At a glance 

  • Codes of conduct enable a sector or profession sharing a common processing activity to own and resolve key data protection challenges. Codes are a way of demonstrating accountability. We encourage associations, representatives and other expert public bodies to create codes of conduct.
  • Codes provide added value by tailoring relevant data protection requirements to the sector or data processing activity. They can be a cost-effective way of improving data protection compliance for a sector or profession and its members.
  • Using an ICO-approved code of conduct gives assurance that the code and its monitoring are appropriate and helps you to apply UK GDPR, Privacy and Electronic Communication Regulations or part 3 of the Data Protection Act 2018 effectively.
  • Code owners should ensure their codes of conduct reflect the requirements of the relevant sector or profession and take account of the specific needs of micro, small and medium-sized enterprises. 
  • Code owners could develop cross-sector codes where organisations have a common processing activity and share the same processing needs. For example, this may apply to a profession or occupation (such as human resources or IT professionals) working across multiple economic sectors. 
  • Codes of conduct describe how code compliance is monitored using suitable mechanisms, including ICO-accredited monitoring bodies where applicable.
  • The ICO is responsible for approving and publishing codes of conduct in line with our application and approval process. We provide guidance and support at each stage to ensure codes meet the expected standard.
  • Signing up to a code of conduct is voluntary. However, if there is an approved code of conduct relevant to your processing, you could consider signing up.

 

Legislative requirements

To help you to understand the law and good practice as clearly as possible, this guidance says what organisations mustshould, and could do to comply.

Must refers to:

  • legislative requirements within our remit; or
  • established case law (for the laws that we regulate) that is binding.

Good practice

  • Should does not refer to a legislative requirement, but what we expect you to do to comply effectively with the law. We expect you to do this unless there is a good reason not to. If you choose to take a different approach, you need to be able to be able to demonstrate that this approach also complies with the law.
  • Could refers to an option or example that you may consider to help you to comply effectively. There are likely to be various other ways for you to comply.​​​​​​​

In brief

What are codes of conduct?

Codes of conduct are voluntary accountability tools containing sets of rules to help you comply with UK data protection laws. Code owners write them to identify and address data protection issues that apply to and are important to your sector or profession. Code owners should ensure that they are tailored to a sector or profession and do not simply restate UK data protection law. ICO approval provides assurance that the code and its monitoring meet legal requirements.

Codes of conduct provide added value by tailoring relevant data protection requirements to the sector or profession, offering clear, practical solutions. They build public trust and confidence in your ability to comply with data protection law. 

What should a code of conduct cover?

There are currently three types of data protection codes of conduct: 

  • Codes relating to UK General Data Protection Regulations (UK GDPR)
  • Codes relating to Privacy and Electronic Communication Regulations (PECR)
  • Codes relating to part 3 of the Data Protection Act 2018 (DPA part 3)

Code owners should ensure that codes of conduct reflect the specific data protection needs of your sector or profession, including micro, small and medium enterprises.

They could cover topics such as: 

  • fair and transparent processing; 
  • fair and lawful processing;
  • data subjects’ rights;
  • legitimate interests;
  • pseudonymisation; and 
  • other data protection processing issues.

Code owners should ensure that codes of conduct outline the following:

  • How the code owner can represent controllers or processors covered by the code (for UK GDPR and PECR codes).
  • Why the code owner qualifies as an expert public body (for DPA part 3 codes) and is therefore able to develop the code.
  • What the code’s purpose is, what the benefits to members are, and how it adds value by effectively applying data protection law.
  • Which processing activities the code covers, which categories of controllers or processors it applies to, and which data protection issues it intends to address.
  • How code members’ compliance with the code is monitored.
  • For codes covering private organisations/non-public bodies:
    • Who is the agreed monitoring body? 
    • What is its legal status? 
    • How it meets the monitoring body accreditation requirements.
  • The nature and outcome of stakeholder consultation.
  • Confirmation that it complies with and doesn’t contradict data protection or other relevant national laws. 

Who is responsible for codes of conduct? 

Code owners are responsible for developing and submitting a code of conduct to us for approval. Associations or other bodies can create a code of conduct in consultation with relevant stakeholders, including the public, where feasible. They could amend existing industry or sector codes to reflect UK data protection requirements. However, they are still subject to our standard application and approval process.  

We encourage the development and uptake of codes of conduct where they would benefit sectors or professions. We are responsible for approving them in line with our application and approval process. We support organisations developing codes of conduct by: 

  • providing advice and guidance at each stage of development; 
  • checking that codes meet the requirements set out in our detailed guidance on codes of conduct
  • approving and publishing codes of conduct in a public register; and 
  • accrediting monitoring bodies, where required. 

Is compliance with the code monitored? 

UK GDPR and PECR codes of conduct must set out suitable methods to effectively monitor code member compliance.  

DPA part 3 codes need to explain how they are monitored using internal audit and compliance mechanisms. 

Code owners for codes of conduct covering the private sector or any non-public bodies must also identify a monitoring body to fulfil the code monitoring requirements.  

Monitoring bodies must be accredited by us under a separate application process.  

Code owners for UK GDPR and PECR codes must ensure they include appropriate action in cases of infringement. They must ensure these methods are clear, suitable and efficient.

Why sign up to a code of conduct? 

Signing up to a relevant code can ensure you understand how to apply data protection legislation effectively and consistently. This helps to improve levels of compliance across your sector or profession.  

Signing up to a code may help you: 

  • be more transparent and accountable; 
  • consider the specific requirements of processing carried out in your sector or profession and improve standards by following best practice; 
  • promote confidence in how your organisation mitigates the risks relating to your processing activities; 
  • improve specific aspects of data protection, such as breach reporting and privacy by design; and 
  • assure people that you can handle their personal information lawfully and in a way that promotes their rights and freedoms.

How do we sign up to become a code member? 

You can see if there is an approved code of conduct for your sector or profession in the register of codes of conduct. You should contact the relevant code owner or monitoring body to find out how to become a code member.  

We have published further information about how to become a code member in our detailed guidance.  

Next steps 

We welcome enquiries from organisations that are considering developing a code of conduct. You can find out more about this in our detailed guidance on codes of conduct

Organisations wishing to become a monitoring body for a code of conduct are required to meet our accreditation requirements. We require potential monitoring bodies to undergo a separate ICO application and approval process to ensure they meet these requirements. 

Key/Relevant provisions in the UK GDPR/DPA