The UK’s independent authority set up to uphold information rights in the public interest, promoting openness by public bodies and data privacy for individuals.

At a glance

A GDPR code of conduct must be submitted to the ICO by a ‘code owner’ who owns the code on behalf of a category of controller or processors. If you are a trade association or body representing a sector and are interested in developing a code of conduct please contact us at codesofconduct@ico.org.uk.

In brief

Who can create a GDPR code of conduct?

A ‘code owner’ is an association or body who creates and submits their code of conduct. Examples of code owners include:

  • an association/consortium of associations or other bodies representing categories of controllers or processors;
  • a sectoral organisation;
  • trade or representative associations;
  • academic associations; or
  • interest groups.

The code owner must demonstrate to the ICO that they:

  • are able to speak on behalf of a group of organisations;
  • have the necessary experience within their sector; and
  • understand the needs of the organisations.

At what stage can our sector engage with the ICO?

We will provide advice and support to sectors from the start. You are therefore strongly encouraged to contact the ICO during the development stage of your code of conduct, prior to any formal submission, to ensure that when drafting the code, you are meeting the necessary criteria and understand the requirements of the GDPR. Please contact us at codesofconduct@ico.org.uk.

How can we apply to the ICO to have our code of conduct approved?

If you are ready to submit your application, it may help you to complete the questions on the submission page. This will ensure that you have met the criteria for approval and have all relevant supporting documentation before applying.

You can then download and complete the online application form, attach all supporting documentation and submit it to codesofconduct@ico.org.uk.

What supporting documents do we need to include with the application?

We will check that you have fully completed your application form and as a minimum we expect copies of any documentation that you refer to within the code, such as guidance or processing documents.

We also expect copies of any other relevant supporting documents, for example:

  • evidence to support your status within your sector;
  • evidence to support that as a code owner you are able to speak on behalf of a group of organisations. For example, by providing details of your reputation or experience within the sector, and/or the number or percentage of potential code members expected to sign up to the code;
  • evidence to demonstrate that you have consulted with relevant parties such as stakeholders, clients, the public or others as relevant. You should provide evidence of the consultation and the outcomes;
  • references to or details of any other national legislation relevant the code; and
  • supporting documents for any required code monitoring body, to ensure that the body meets the ICO accreditation (approval) criteria. You can find further details of what supporting documentation is required by reading the information on ‘How do we gain monitoring body accreditation?’.

If you are uncertain what documents you need to provide, please contact us at codesofconduct@ico.org.uk.

What are the code of conduct approval requirements?

You should ensure that your application demonstrates how the code of conduct meets the following key requirements:

  • It is prepared and submitted by a trade body, representative organisation, or other body representing categories of controllers or processors. A code owner must demonstrate that they are able to speak on behalf of a group of organisations, have relevant experience and understand the needs of the organisations.
  • It must contain a statement detailing the key issues which the code addresses, the processing activity/activities, the types of data, the data protection risks involved with the processing and what safeguards have been put into place within the code.
  • It details the processing operations that it covers and areas it intends to address such as those listed in Article 40(2).
  • It specifies whether it is a national code or a code which covers processing activities in more than one member state.
  • It is submitted to the correct Supervisory Authority, taking into account the location of the headquarters of code owners and monitoring body and also location of the processing activity/sector/data subjects.
  • It describes the mechanisms for monitoring compliance with the code, including structures and procedures for the investigation and management of code infringements and details of corrective measures.
  • Where processing activities relate to private/non-public authorities, it identifies an appropriate monitoring body and contains sufficient detail to satisfy the ICO monitoring body assessment criteria and also sets out the provisions to address a situation where the monitoring body has its accreditation revoked.
  • It details the consultation that has taken place with potential code members, stakeholders, data subjects or other relevant bodies.
  • It provides confirmation that the code of conduct complies with any relevant national legislation.
  • The ICO application form has been fully completed and all relevant documentation is attached to the code on submission.

What happens to the application?

The ICO will acknowledge receipt of your application and conduct an assessment of your code of conduct to ensure that you have met the initial criteria for approval (as outlined above).

If the triage requirements are met, we will write to you confirming that you will proceed to a full code review. If partially met, we will give you further advice. If not met, we will notify you that the code is currently unfit for further assessment.

The ICO will keep you regularly updated and allow you an opportunity to discuss any matters.

What is a full code review?

The ICO Code Assessment Group (made up of internal staff with relevant sectoral or technical expertise) carry out a full review to decide whether the code of conduct:

  • demonstrates a need for the code within that sector or processing activity;
  • addresses the specific needs of the sector whilst demonstrating a practical understanding of the GDPR;
  • provides specific industry improvements on particular data protection areas;
  • provides suitable and effective safeguards against the risks with data processing; and
  • provides mechanisms to ensure that compliance with the code of conduct is appropriately monitored.

What are the possible outcomes of the full code review?

The Code Assessment Group will produce a report recommending either:

  • code approval;
  • amendments to the code; or
  • code rejection.

If they recommend approval, we will inform you and provide a code of conduct approval report.

If the code of conduct requires amendments, you will receive a written report outlining reasons for non-approval and providing further advice.

You may be given an opportunity to attend a meeting with the Code Assessment Group to help clarify any matters. We will advise you about any necessary amendments and re-submission.

If we reject the code, you will receive a report highlighting the issues or queries raised by the Code Assessment Group and the reasons why there is doubt on the content or use of the code.

How long does it take to get a code approved by the ICO?

Once the code of conduct is formally submitted, we anticipate that the process should take approximately 8-12 weeks, depending upon the nature, completeness and complexity of the code.

Will the ICO register and publish approved codes on the website?

Yes. We will register and publish UK national codes approved by the ICO on our website, including the name of code owner, the code title, sector, and the date and version of the code that we have approved.

We may also notify the European Data Protection Board to update their register of all approved codes of conduct.

What is the register of code of conduct members?

You should keep an easily accessible and publicly available list of your code members. We will expect you to keep this list up to date and make any amendments immediately and without delay.

What is the code of conduct review process?

You should periodically review the code of conduct to ensure that it remains relevant and up to date. If you need to make any amendments or extensions to the code, you should let the ICO know in writing at codesofconduct@ico.org.uk.

The ICO must approve further amendments or extensions to the code or changes or additions to the monitoring bodies.

How should a code owner report to the ICO?

The code owner should send the ICO an annual report which includes:

  • a list of current code members;
  • any new members;
  • information concerning code member breaches of code requirements;
  • details of any members suspended or excluded in the last 12 months; and
  • outcomes of the code review.

How is code members’ compliance monitored?  

All codes of conduct must contain ways to effectively monitor compliance by code members.

For codes covering private or non-public authorities, the code of conduct needs to identify an appropriate monitoring body and provide sufficient detail to demonstrate that the body meets the accreditation requirements and any other requirements outlined in the code.

The purpose of the monitoring body is to ensure code members comply with the code. Monitoring bodies are accredited (approved) by the ICO on the basis of meeting all accreditation requirements. The code should also outline alternative ways to monitor compliance if the monitoring body has its accreditation removed.

What is the difference between ICO-approved GDPR codes of conduct and ICO statutory codes of practice?

An ICO-approved GDPR code of conduct is written by a body able to legitimately speak on behalf of a group of organisations, such as a trade or representative body. It should provide a detailed description of what the GDPR means in practice for the organisations it covers, focusing on key data protection priorities and challenges that they are facing. It should outline technical and organisational measures that controllers and processors must have in place in order to be a member of the code of conduct. Organisations’ compliance with the code will be monitored.

ICO statutory codes of practice are written by the ICO to address key strategic areas, set out in the Data Protection Act 2018. They are approved by the Secretary of State and laid before Parliament. Codes of practice provide practical guidance to organisations about how to comply with data protection legislation with regards to a particular topic.

We are reviewing our existing code of conduct. Can we amend it to comply with GDPR requirements?

Yes. You need to review and evaluate any existing codes of conduct you have in line with the requirements of the GDPR. You can submit them to the ICO for approval, if you want them to be considered as an ICO-approved GDPR code of conduct.

Please note that your code needs to address particular data protection areas and issues that your sector faces and not simply repeat the GDPR.

The ICO will provide advice and support to sectors wishing to develop a code of conduct and you are strongly encouraged to contact the ICO during the development stage of your code of conduct, prior to any formal submission.

Could there be multiple ICO-approved GDPR codes of conduct in one sector?

Yes. There can be multiple codes in a sector as long as they:

  • satisfy the criteria for approval;
  • cover different personal data processing areas and scope; and
  • are clear about what organisations within the sector they apply to.

Where two codes are covering the same area in the same sector, we will check that they are suitably representative and consider if there should just be one code.

A draft code must contain information regarding the extent of consultation carried out with stakeholders and individuals. This will include, where relevant, information about how the code complements other codes already approved. Code owners are also required to demonstrate the need for a code and what added value it provides.

Are cross-sector codes allowed?

Cross-sector codes are possible (such as Human Resources or IT professionals working across multiple economic sectors) if the code owner can demonstrate that the organisations covered have a common processing activity and share the same processing needs. In these circumstances suitable organisations such as an HR professional body or IT association will need to develop the codes.

It may be the case that more than one monitoring body may need to be accredited if a cross-sector code applies to more than one category of data controllers and or representative organisation. In these circumstances, the code should clearly outline the accreditation requirements for each monitoring body and also state which data controllers each monitoring body will perform its functions on.

Are we a public authority under the GDPR?

Section 7 of the DPA 2018 defines a public authority for the purposes of the GDPR.

It says that the following (and only the following) are ‘public authorities’:

  • a public authority as defined by the Freedom of Information Act 2000;
  • a Scottish public authority as defined by the Freedom of Information (Scotland) Act 2002; and
  • an authority or body specified or described by the Secretary of State in regulations.

They are only public authorities for GDPR purposes when they are performing a task carried out in the public interest or in the exercise of official authority vested in them.

However, section 7(3) of the DPA 2018 says that the following are not public authorities for the purposes of the GDPR:

  • a parish council in England;
  • a community council in Wales;
  • a community council in Scotland;
  • a parish meeting constituted under section 13 of the Local Government Act 1972;
  • a community meeting constituted under section 27 of that Act; and
    • charter trustees constituted;
    • under section 246 of that Act,
    • under Part 1 of the Local Government and Public Involvement in Health Act 2007; or
    • by the Charter Trustees Regulations 1996.

While these are not public authorities for GDPR purposes, this does not affect their status as a public authority under any other legislation.