This code came into force on 2 September 2020, with a 12 month transition period. Organisations should conform by 2 September 2021.
At a glance
The ICO upholds information rights in the public interest. Data relating to children is afforded special protection in the GDPR and is a regulatory priority for the ICO. Conforming to the standards set out in this code will be a key measure of your compliance with data protection laws.
We will monitor conformance to this code through a series of proactive audits, will consider complaints, and take appropriate action to enforce the underlying data protection standards, subject to applicable law and in line with our Regulatory Action Policy. To ensure proportionate and effective regulation we will target our most significant powers, focusing on organisations and individuals suspected of repeated or wilful misconduct or serious failure to comply with the law. If you do not follow this code, you may find it difficult to demonstrate that your processing is fair and complies with the GDPR or PECR.
We have various powers to take action for a breach of the GDPR or PECR, including where a child’s personal data has been processed in breach of relevant provisions of these laws. This includes the power to issue warnings, reprimands, stop-now orders and fines.
In more detail
- What is the role of the ICO?
- How will the ICO monitor compliance?
- How will the ICO deal with complaints?
- What are the ICO’s enforcement powers?
The Information Commissioner is the independent supervisory authority for data protection in the UK.
Our mission is to uphold information rights for the public in the digital age. Our vision for data protection is to increase the confidence that the public have in organisations that process personal data. We offer advice and guidance, promote good practice, monitor and investigate breach reports, monitor compliance, conduct audits and advisory visits, consider complaints, and take enforcement action where appropriate. Our enforcement powers are set out in part 6 of the DPA 2018.
Our focus is on compliance with data protection legislation in the UK. In particular, to ensure that the protections provided for children’s data are adhered to.
Where the provisions of this code overlap with other regulators we will work with them to ensure a consistent and co-ordinated response.
Key objectives in our Regulatory Action Policy include:
“To be proactive in identifying and mitigating new or emerging risks arising from technological and societal change” and,
“To be effective, proportionate, dissuasive and consistent in our application of sanctions, targeting our most significant powers (i) for organisations and individuals suspected of repeated or wilful misconduct or serious failures to take proper steps to protect personal data, and (ii) where formal regulatory action serves as an important deterrent to those who risk non-compliance with the law.”
We have also made use of children’s data a regulatory priority.
We will monitor conformance to this code using the full range of measures available to us from intelligence gathering through to using our audit or assessment powers to understand an issue, through to investigation and regulatory action where appropriate and proportionate..
Our approach is to encourage conformance. Where we find issues we take fair, proportionate and timely regulatory action with a view to guaranteeing that individuals’ information rights are properly protected. We will take account of the size and resources of the organisation concerned, the availability of technological solutions in the marketplace and the risks to children that are inherent in the processing. We will take a proportionate and responsible approach, focussing on areas with the potential for most harm and selecting the most suitable regulatory tool.
If someone raises a concern with us about your conformance to this code or the way you have handled a child’s personal data in the context of a relevant online service, we will record and consider their complaint.
We will take this code into account, along with other relevant legislation, when considering whether you have complied with the GDPR or PECR. In particular, we will take the code into account when considering questions of fairness, lawfulness, transparency and accountability.
We will assess your initial response to the complaint, and we may contact you to ask some questions and give you a further opportunity to explain your position. We may also ask for details of your policies and procedures, your DPIA, and other relevant documentation. However, we expect you to be accountable for how you meet your obligations under GDPR and PECR, so you should make sure that when you initially respond to complaints from individuals you do so with a full and detailed explanation about how you use their personal data and how you comply.
If we consider that you have failed (or are failing) to comply with the GDPR or PECR, we have the power to take enforcement action. This may require you to take steps to bring your operations into compliance or we may decide to fine you. Or both.
We have various powers to take action for a breach of the GDPR or PECR, including where a child’s personal data is involved. We have a statutory duty to take the provisions of this code into account when enforcing the GDPR and PECR.
Without prejudice to the specifics of applicable law such as the eCommerce Regulations 2002, tools at our disposal include assessment notices, warnings, reprimands, enforcement notices and penalty notices (administrative fines). For serious breaches of the data protection principles, we have the power to issue fines of up to €20 million (or £17.5 million when the UK GDPR comes into effect) or 4% of your annual worldwide turnover, whichever is higher.
In line with our policy, we consider that the public interest in protecting children online is a significant factor weighing in the balance when considering the type of regulatory action. This means that where see harm or potential harm to children we will likely take more severe action against a company than would be the case for other types of personal data. We will nevertheless take account of the size and resources of the organisation concerned, the availability of technological solutions in the marketplace and the specific risks to children that are inherent in the processing. We will also take into account the efforts made to conform to the provision in this code.