Under the GDPR, trade associations and representative bodies may draw up codes of conduct that cover topics that are important to their members, such as fair and transparent processing, pseudonymisation or the exercise of people’s rights. They are a good way of developing sector-specific guidelines to help with compliance with the GDPR. There is a real benefit to developing a code of conduct as it can help to build public trust and confidence in your sector’s ability to comply with data protection laws.
The EDPB agreed UK monitoring body accreditation requirements, in December 2019 and the ICO are now able to approve both codes of conduct and code monitoring bodies. We welcome enquiries from associations and other bodies representing categories or controllers or processors. For example, an association/consortium of associations, trade or representative associations, academic associations or interest groups. Please contact us at email@example.com.
At a glance
- Codes of conduct enable a sector to own and resolve key data protection challenges. The ICO see these as a way of demonstrating accountability and encourage sectors through trade associations and representative bodies to create codes of conduct.
- Using ICO approved code of conduct give assurance that the code and its monitoring is appropriate and will help you to apply the GDPR effectively.
- Codes of conduct should reflect the requirements of different processing sectors and takes account of the specific needs of small and medium sized enterprises.
- Trade associations or bodies representing a sector can create, amend or extend codes of conduct to help their sector comply with the GDPR in a practical, transparent and cost-effective way.
- Signing up to a code of conduct is voluntary. However, if there is an approved code of conduct, relevant to your processing, you should consider signing up.
- A code of conduct can help you to reflect on your processing activities and ensure you follow rules designed for your sector to achieve best practice.
- A draft code of conduct must be submitted to us for approval and will be assessed against specific criteria to ensure that it meets the expected standard.
- A code of conduct will describe appropriate monitoring mechanisms and bodies which will be approved as part of the code approval process.
Codes of conduct help you to apply the GDPR effectively and allow you to demonstrate your compliance.
- What are codes of conduct?
- Why sign up to a code of conduct?
- What should a code of conduct address?
- Who is responsible for codes of conduct?
- How will the ICO approve a code of conduct?
- How will compliance with the code be monitored?
- How to become a monitoring body
- What are the practical implications for our organisation?
- Timelines and next steps
- Frequently asked questions
- Contact us
Codes of conduct are voluntary accountability tools, enabling sectors to own and resolve key data protection challenges in their sector with assurance from ICO that the code, and its monitoring, is appropriate. They can help you to reflect on your processing activities and ensure you follow rules designed for your sector to achieve good practice. They are written by an organisation or association representing a sector in language that the sector understands and enable sectors to solve these challenges.
By signing up to a code of conduct, controllers and processors can ensure they apply the GDPR effectively and in doing so establish operational norms in compliance that ultimately should assist in bringing down levels of non-compliance. Codes of conduct require a monitoring method, and for private or non-public authorities, a monitoring body to deliver them.
Adhering to a code of conduct shows that you:
- follow GDPR requirements for data protection that have been agreed as good practice within your sector; and
- are appropriately addressing the type of processing you are doing and the related level of risk. An example is a code may contain more demanding requirements when it relates to processing of sensitive special category personal data.
Adhering to a code of conduct could help you to:
- be more transparent and accountable;
- take into account the specific requirements of processing carried out in a sector and improve standards by following best practice in a cost effective way;
- promote confidence and in a sector by creating effective safeguards to mitigate the risk around processing activities;
- earn the trust and confidence of data subjects and promote the rights and freedoms of individuals;
- help with specific data protection areas, such as breach notification and privacy by design;
- demonstrate that you have appropriate safeguards to transfer data to countries outside the EU; and
- improve the trust and confidence in your organisation’s compliance with GDPR and of the general public about what happens to their personal data.
Codes of conduct should help you to comply with the GDPR, and may cover topics such as fair and transparent processing, legitimate interests, pseudonymisation or alternative, appropriate data protection processing issues.
Codes of conduct should reflect the specific needs of controllers and processors in small and medium enterprises and help them to work together to apply GDPR requirements to specific issues that they face.
Codes should provide added value for their sector, as they will tailor the GDPR requirements to the sector or area of data processing. They could be a cost effective means to enable compliance with GDPR for a sector and its members.
Trade associations or other bodies representing controllers or processors can create a code of conduct in consultation with relevant stakeholders, including the public where feasible. They can amend or extend existing codes to comply with GDPR requirements. They have to submit the draft code to us for approval.
We encourage the creation of codes of conduct by actively engaging with sectors to encourage development and uptake of codes of conduct where the sector would benefit. We will also support organisations who approach the ICO with a proposal for a code of conduct. In doing so we will provide advice to sectors and support in understanding codes of conduct.
- check that codes meet the code criteria set out below;
- set out monitoring body accreditation criteria;
- accredit monitoring bodies;
- approve and publish codes; and
- maintain a public register of all approved UK codes.
All codes of conduct received will be assessed against the following criteria to ensure that the code submission addresses the following:
- The code owner’s ability to represent controllers or processors covered by the code.
- Contains a concise statement explaining the purpose and scope of the code and how it effectively applies the GDPR.
- Identifies processing operations that the code covers and the categories of controllers or processors that it applies to as well as what the data protection issues are that it intends to address.
- Specifies whether it is a national or transnational code and provide details in relation to the code’s geographical scope.
- Transnational codes must identify an appropriate Competent Supervisory Authority.
- Identifies suitable monitoring mechanisms to assess compliance with the code.
- Identifies the monitoring body and its legal status (as required for codes covering non-public authorities).
- That it outlines the stakeholder consultation.
- That it complies with relevant national legislation.
All codes of conduct must contain mechanisms to allow for effective monitoring of code compliance.
A monitoring body or bodies must be identified as part of the code to fulfil the code monitoring requirements, except for codes covering public authorities. These bodies have to be accredited by the ICO.
There are a number of requirements that should be met in order for a monitoring body to gain ICO accreditation. Code owners will need to demonstrate as a minimum how their proposed monitoring body:
- Is independent from code owners.
- Can act free from sanctions or external influence to ensure that no conflict of interest arises.
- Has the required knowledge and expertise.
- Has established procedures, structures and resources for the monitoring of compliance with the code.
- Has an open and transparent complaints handling process.
- Will communicate to the ICO code member infringements that lead to suspensions or exclusions.
- Will review the code to ensure that the code remains relevant and up to date.
- Has appropriate legal status.
The ICO accreditation requirements have now been adopted by EDPB and can be found here.
- You can sign up to a code of conduct relevant to your data processing activities or sector. This could be an extension or an amendment to a current code, or a brand new code.
- Your customers will be able to view your code membership via the code’s webpage, the ICO’s public register of UK approved codes of conduct and the EDPB’s public register for all codes of conduct in the EU.
- Once you are assessed as adhering to the code, your compliance with the code will be monitored on a regular basis. This monitoring provides assurance that the code can be trusted. Your membership can be withdrawn if you no longer meet the requirements of the code, and the monitoring body will notify us of this.
- When contracting work to third parties, you may wish to consider whether they have signed up to a code of conduct, as part of meeting your due diligence requirements under the GDPR.
The European Data Protection Board have adopted ‘Guidelines 1/2019 on Codes of Conduct and Monitoring Bodies under Regulation 2016/679’. On 2 December 2019 the EDPB adopted opinion 17/2019 on the UK code of conduct monitoring body accreditation requirements, leading to their finalisation.
We now welcome enquiries from trade associations or bodies representing a sector who are considering developing ICO-approved GDPR codes of conduct. Please contact us via email at firstname.lastname@example.org.
We have published answers to frequently asked questions relating to codes of conduct.
If you still have queries after reading our frequently asked questions, we can offer support and guidance. Please contact us email@example.com.