At a glance
Signing up to a code of conduct is voluntary. If a GDPR code of conduct is developed in your sector that is relevant to your data processing activities, you should consider signing up. Code membership and compliance can:
- help you achieve better data protection compliance, knowing that you are meeting best practice standards in your sector;
- help you promote a consistent and efficient approach to common data protection issues in areas such as fair and transparent processing, security and legitimate interests;
- demonstrate that you are accountable and transparent in the way that you apply the GDPR;
- demonstrate that you have appropriate safeguards to improve the trust and confidence of the general public about what happens to their personal data;
- help you to address the type of processing you are doing and the related level of risk. An example is a code may contain more demanding requirements when it relates to processing of sensitive special category personal data; and
- provide a competitive advantage from a contract tendering or customer perspective.
- What are the practical implications for our organisation?
- What are the requirements?
- Can we sign up to a code when we’re working towards meeting the code requirements?
- If we sign up to a GDPR code of conduct can we get fined for not complying with the code rules?
- Do we get a badge if we sign up to a code?
- What if we feel that there is a requirement for a code in our sector?
- How can we sign up?
- You can sign up to a code of conduct relevant to your data processing activities or sector. This could be an extension or an amendment to a current code, or a brand-new code.
- People who access your services will be able to view your code membership on the code’s webpage.
- Your compliance with the code will continue to be monitored on a regular basis after the initial assessment. This monitoring provides assurance that the code members can be trusted. Your membership can be withdrawn if you no longer meet the requirements of the code, and the monitoring body will notify us of this.
- When contracting work to third parties, you may wish to consider whether they have signed up to a code of conduct, as part of meeting your due diligence requirements under the GDPR.
The requirements for code membership will be set out in the code itself. They will vary depending on the sector and complexity of the code. You must be able to comply with all mandatory elements of a code of conduct before signing up to it as your compliance will be regularly monitored.
We recognise that we will need to allow members some time to implement the code requirements before the monitoring body can monitor compliance.
The code will outline how you will move from working towards compliance to being fully compliant and how the monitoring body will administer and communicate this.
The ICO can take enforcement action against organisations and individuals that have infringed the GDPR and will use enforcement powers where they are effective and proportionate. However, we may take into account an organisation’s membership of a code and lack of required compliance with it when considering enforcement action.
Read our Regulatory Action Policy for further information.
By signing up to a GDPR code of conduct you are showing that you can effectively apply the GPDR. All GDPR codes of conduct will be registered by the ICO and published on the ICO website. Depending on the how the code has been constructed, it may be that those signing up to the code are able to display some form of visual symbol that they are a member of that code.
If you feel that there is a common data protection issue in your sector you should contact a relevant trade association, representative body or body able to legitimately speak on behalf of organisations like you. You can raise awareness of the issue and discuss the benefits of developing a code to address it.
The ICO has not yet formally approved any codes of conduct. You may wish to contact your trade association, representative body or a body able to legitimately speak on behalf of organisations like you to discuss whether they are developing a code in your sector.