Here are some frequently asked questions relating to our guidance on Codes of conduct in the Guide to the GDPR.
Frequently asked questions
- Who can create a GDPR code of conduct?
- Why should we sign up to a GDPR code of conduct?
- Are there any ICO-approved GDPR codes of conduct at present?
- We are reviewing our existing code of conduct. Can we amend it to comply with GDPR requirements?
- How do we develop a code of conduct?
- What is the difference between ICO-approved GDPR codes of conduct and ICO statutory codes of practice?
- Could there be multiple ICO-approved GDPR codes of conduct in one sector?
- Are cross-sector codes allowed (such as Human Resources or IT)?
- Do we need to appoint a monitoring body?
- How can we demonstrate independence for an internal monitoring body?
- Are we a public authority under the GDPR?
- Could a monitoring body be fined for GDPR infringements made by code members?
- Can we sign up to a code when we’re working towards meeting the code requirements?
- If we sign up to a GDPR code of conduct can we get fined for not complying with the code rules?
- How long does it take to get a code approved by the ICO? Where can we find more information?
- Can a monitoring body be added to a code later on?
- Who will accredit monitoring bodies?
- Do we get a badge if we sign up to a code?
A GDPR code of conduct must be submitted by a ‘code owner’ who owns the code on behalf of a category of controllers or processors. Examples of code owners include:
- an association/consortium of associations or other bodies representing categories of controllers or processors;
- a sectoral organisation;
- trade or representative associations;
- academic associations; or
- interest groups.
Signing up to a code of conduct is voluntary. If a GDPR code of conduct is developed in your sector that is relevant to your data processing activities you should consider signing up. Code membership and compliance can:
- help you achieve better data protection compliance, knowing that you are meeting best practice standards in your sector;
- help you promote a consistent and efficient approach to common data protection issues in areas such as fair and transparent processing, security and legitimate interests;
- demonstrate that you are accountable and transparent in the way that you apply the GDPR;
- demonstrate that you have appropriate safeguards to improve the trust and confidence of the general public about what happens to their personal data; and
- provide a competitive advantage from a contract tendering or customer perspective.
There are none approved at the moment, but we are actively working with various sector bodies and associations to assist them in developing codes of conduct.
We will publish information on our website once codes of conduct are approved and we are keen to talk to sectors that may be considering development of a code.
Yes. You need to review and evaluate any existing codes of conduct you have in line with the requirements of the GDPR. You can submit them to the ICO for approval, if you want them to be considered as an ICO-approved GDPR code of conduct.
If you are interested in ICO approval, the EDPB guidelines will help you to ensure that your code meets the necessary criteria. Please note that your code needs to address particular data protection areas and issues that your sector faces and not simply repeat the GDPR.
An ICO-approved GDPR code of conduct is written by a trade association or body representing a sector. You should contact them in the first instance to discuss the development of a code of conduct.
We welcome enquiries from trade associations or bodies representing a sector who are considering developing ICO-approved GDPR codes of conduct. Please email firstname.lastname@example.org.
What is the difference between ICO-approved GDPR codes of conduct and ICO statutory codes of practice?
An ICO-approved GDPR code of conduct is written by a trade association or body representing a sector. It should provide a detailed description of what the GDPR means in practice for a sector, focusing on key data protection priorities and challenges that the sector is facing. It should outline techinacal and organisational measures that controllers and processors must have in place in order to be a member of the code of conduct. Organisations’ compliance with the code will be monitored.
ICO statutory codes of practice are written by the ICO for key strategic areas, set out in the Data Protection Act 2018. They are approved by the Secretary of State and laid before Parliament. Codes of practice outline best practice for any organisation to follow.
Yes. There can be multiple codes in a sector as long as they satisfy the criteria for approval, and cover different personal data processing areas and scope.
Where two codes are covering the same area in the same sector, we will check that they are suitably representative and consider if there should just be one code.
A draft code must contain information regarding the extent of consultation carried out with stakeholders and individuals.This will include, where relevant, information about how the code complements other codes already approved. Code owners are also required to demonstrate the need for a code and what added value it provides.
Cross-sector codes are possible (such as Human Resources or IT professionals working across multiple economic sectors). However, suitable representative organisations such as an HR professional body or IT association will need to develop the codes.
Article 40 (2) of the GDPR refers to codes being prepared by representative organisations of ‘categories controllers and processors’. Therefore, there can be cross-sector codes if the code owner can demonstrate that the sectors have a common processing activity and share the same processing needs.
However more than one monitoring body may be accredited to monitor compliance with that code if it applies to more than one sector or representative organisation. Therefore, the code should clearly satisfy the accreditation requirements for each monitoring body and also state which sector each monitoring body will perform its functions.
Codes of conduct covering private or non-public authorities will have to identify a monitoring body. This body could be external or internal to the code owner.
However, all codes of conduct, whether public or private, must contain suitable mechanisms to allow for effective monitoring and appropriate action in cases of infringement. In all cases the mechanisms will need to be clear, suitable and efficient.
A code owner will have to demonstrate how the monitoring body can remain impartial from itself, code members, the profession, industry or sector to which the code applies.
How this will work in practice will vary depending on the code topic, the sector and the organisations involved so there is no universal approach to demonstrating independence.
Code owners will need to consider the risks to impartiality and demonstrate how they will minimise or remove these risks on an ongoing basis.
We expect that in some cases existing models of self-regulation or co –regulation familiar to representative bodies and trade associations may be adapted to meet these requirements. Existing good practice in these areas could all help to prove impartiality, such as:
- being able to evidence the ability to act free from inappropriate influence;
- separate decision making arrangements;
- separate reporting lines;
- separate funding arrangements or budget management; and
- technical measures, such as information barriers.
Section 7 of the DPA 2018 defines a public authority for the purposes of the GDPR.
It says that the following (and only the following) are ‘public authorities’:
- a public authority as defined by the Freedom of Information Act 2000;
- a Scottish public authority as defined by the Freedom of Information (Scotland) Act 2002; and
- an authority or body specified or described by the Secretary of State in regulations.
They are only public authorities for GDPR purposes when they are performing a task carried out in the public interest or in the exercise of official authority vested in them.
However, section 7(3) of the DPA 2018 says that the following are not public authorities for the purposes of the GDPR:
- a parish council in England;
- a community council in Wales;
- a community council in Scotland;
- a parish meeting constituted under section 13 of the Local Government Act 1972;
- a community meeting constituted under section 27 of that Act; and
- charter trustees constituted;
- under section 246 of that Act,
- under Part 1 of the Local Government and Public Involvement in Health Act 2007; or
- by the Charter Trustees Regulations 1996.
While these are not public authorities for GDPR purposes, this does not affect their status as a public authority under any other legislation.
No, a monitoring body is responsible for checking code members’ compliance with the code requirements. A monitoring body could be fined for GDPR infringements in its own capacity as a data controller, but is not responsible for the GDPR fines of a code member.
Once you are assessed as adhering to a code of conduct your compliance will be regularly monitored. However, we recognise that we will need to allow members some time to implement the code before we can monitor compliance.
The code will outline how you will move from working towards compliance to being fully compliant and how we will administer and communicate this.
The ICO can take enforcement action against organisations and individuals that have infringed the provisions of the GDPR and will fine and use other enforcement powers where they are effective and proportionate. An organisation’s membership of a code could be taken into account in considering enforcement action. Details of our Regulatory Action Policy can be found on our website.
We anticipate that the process should take approximately 15 weeks, depending upon the nature and complexity of the code. There is more information on our website.
The ICO has to approve further amendments or extensions to the code or changes or extensions to the monitoring bodies.
The ICO will accredit monitoring bodies who have been identified as part of a GDPR code of conduct. There will be a number of requirements that should be met before the ICO will give a monitoring body accreditation. The draft details of this accreditation criteria are outlined on our website.
Please note that we are required to submit our draft accreditation requirements to the European Data Protection Board for approval before we can formally accredit a monitoring body and are working towards achieving this by the autumn of 2019.
By signing up to a GDPR code of conduct you are showing that you can effectively apply the GPDR. All GDPR codes of conduct will be registered by the ICO and published on the ICO website. Depending on the how the code has been constructed, it may be that those signing up to the code are able to display some form of visual symbol that they are a member of that code.