The ICO exists to empower you through information.

At a glance

Signing up to a code of conduct is voluntary. If a UK GDPR code of conduct is developed in your sector that is relevant to your data processing activities, you should consider signing up. Code membership and compliance can:

  • help you achieve better data protection compliance, knowing that you are meeting best practice standards in your sector;
  • help you promote a consistent and efficient approach to common data protection issues in areas such as fair and transparent processing, security and legitimate interests;
  • demonstrate that you are accountable and transparent in the way that you apply the UK GDPR;
  • demonstrate that you have appropriate safeguards to improve the trust and confidence of the general public about what happens to their personal data;
  • help you to address the type of processing you are doing and the related level of risk. An example is a code may contain more demanding requirements when it relates to processing of sensitive special category personal data; and
  • provide a competitive advantage from a contract tendering or customer perspective.

In brief

What are the practical implications for our organisation?

  • You can sign up to a code of conduct relevant to your data processing activities or sector. This could be an extension or an amendment to a current code, or a brand-new code.
  • People who access your services will be able to view your code membership on the code’s webpage.
  • Your compliance with the code will continue to be monitored on a regular basis after the initial assessment. This monitoring provides assurance that the code members can be trusted. Your membership can be withdrawn if you no longer meet the requirements of the code, and the monitoring body will notify us of this.
  • When contracting work to third parties, you may wish to consider whether they have signed up to a code of conduct, as part of meeting your due diligence requirements under the UK GDPR.

What are the requirements?

The requirements for code membership will be set out in the code itself. They will vary depending on the sector and complexity of the code. You must be able to comply with all mandatory elements of a code of conduct before signing up to it as your compliance will be regularly monitored.  

Can we sign up to a code when we’re working towards meeting the code requirements?

We recognise that we will need to allow members some time to implement the code requirements before the monitoring body can monitor compliance.

The code will outline how you will move from working towards compliance to being fully compliant and how the monitoring body will administer and communicate this.

If we sign up to a UK GDPR code of conduct can we get fined for not complying with the code rules?

The ICO can take enforcement action against organisations and individuals that have infringed the UK GDPR and will use enforcement powers where they are effective and proportionate. However, we may take into account an organisation’s membership of a code and lack of required compliance with it when considering enforcement action.

Read our Regulatory Action Policy for further information.

Will the ICO consider our code membership as a mitigating factor in the event of an investigation?

Yes, in some circumstances. Our regulatory approach encourages and rewards compliance. When considering regulatory action, organisations can expect us to take it into account if they:

  • self-report;
  • engage with us to resolve issues; and
  • can demonstrate strong information rights accountability arrangements.

Being a member of a UK GDPR Code of Conduct approved by the ICO is a way of demonstrating accountability and compliance with the law for a specific processing activity.

We would likely consider code membership as a mitigating factor if you followed the code requirements and took all reasonable steps to prevent non-compliance.

However, if you did not follow the requirements, which then caused the compliance issue, we may consider this as an aggravating factor. In this case the monitoring body may also suspend or revoke your code membership.

UK GDPR code of conduct set requirements for best practice in a particular area. Therefore becoming a code member and adhering to these requirements should significantly reduce the risk of non-compliance and should significantly reduce the risk of ICO taking corrective action.

In the event of non-compliance, your code membership will be a relevant factor when determining what, if any, regulatory action it may be appropriate to take.

When considering action, we adopt a case-by-case approach. We look at a number of factors, including whether you have adhered to the code of conduct.

Read our Regulatory Action Policy for further information.

Do we get a badge if we sign up to a code?

By signing up to a UK GDPR code of conduct you are showing that you can effectively apply the UK GPDR. All codes of conduct will be registered by the ICO and published on the ICO website. Depending on the how the code has been constructed, it may be that those signing up to the code are able to display some form of visual symbol that they are a member of that code.

What if we feel that there is a requirement for a code in our sector?

If you feel that there is a common data protection issue in your sector you should contact a relevant trade association, representative body or body able to legitimately speak on behalf of organisations like you. You can raise awareness of the issue and discuss the benefits of developing a code to address it.

How can we sign up?

The ICO has not yet formally approved any codes of conduct. You may wish to contact your trade association, representative body or a body able to legitimately speak on behalf of organisations like you to discuss whether they are developing a code in your sector.

 

In more detail - European Data Protection Board

EDPB guidelines are no longer directly relevant to the UK regime and are not binding under the UK regime. However, they may still provide helpful guidance on certain issues.

The European Data Protection Board (EDPB), which has replaced the Article 29 Working Party (WP29), includes representatives from the data protection authorities of each EU member state. It adopts guidelines for complying with the requirements of the GDPR.

EDPB ‘Guidelines 1/2019 on Codes of Conduct and Monitoring Bodies under Regulation 2016/679'