At a glance

  • The GDPR recommends that you use approved codes of conduct to help you to apply the GDPR effectively.
  • Codes of conduct will reflect the needs of different processing sectors and micro, small and medium sized enterprises.
  • Trade associations or bodies representing a sector can create codes of conduct to help their sector comply with the GDPR in an efficient and cost effective way.
  • Signing up to a code of conduct is voluntary. However, if there is an approved code of conduct, relevant to your processing, you may wish to consider signing up. It can also help show compliance to the ICO, the public and in your business to business relationships.

In brief                                                           

Codes of conduct help you to apply the GDPR effectively and allow you to demonstrate your compliance.

Who is responsible for codes of conduct?

Trade associations or bodies representing a sector can create codes of conduct, in consultation with relevant stakeholders, including the public where feasible. They can amend or extend existing codes to comply with the GDPR requirements. They have to submit the draft code to us for approval.

We will assess whether a monitoring body is independent and has expertise in the subject matter/sector. Approved bodies will monitor compliance with the code (except for codes covering public authorities) and help ensure that the code is appropriately robust and trustworthy.

We will:

  • check that codes covering UK processing include appropriate safeguards;
  • set out the monitoring body accreditation criteria;
  • accredit monitoring bodies;
  • approve and publish codes; and
  • maintain a public register of all approved UK codes.

If a code covers more than one EU country, the relevant supervisory authority will submit it to the European Data Protection Board (EDPB), who will submit their opinion on the code to the European Commission. The Commission may decide that a code is valid across all EU countries.

If a code covers personal data transfers to countries outside of the EU, the European Commission can use legislation to give a code general validity within the Union.

What should codes of conduct address?

Codes of conduct should help you comply with the law, and may cover topics such as:

  • fair and transparent processing;
  • legitimate interests pursued by controllers in specific contexts;
  • the collection of personal data;
  • the pseudonymisation of personal data;
  • the information provided to individuals and the exercise of individuals’ rights;
  • the information provided to and the protection of children (including mechanisms for obtaining parental consent);
  • technical and organisational measures, including data protection by design and by default and security measures;
  • breach notification;
  • data transfers outside the EU; or
  • dispute resolution procedures.

Codes of conduct can collectively address the specific needs of micro, small and medium enterprises and help them to work together to apply GDPR requirements to the specific issues in their sector. Codes are expected to provide added value for their sector, as they will tailor the GDPR requirements to the sector or area of data processing. They could be a cost effective means to enable compliance with GDPR for a sector and its members.

Why sign up to a code of conduct?

Adhering to a code of conduct shows that you:

  • follow the GDPR requirements for data protection; and that
  • are addressing the level of risk relevant to your sector and the type of processing you are doing. For example, in a ‘high risk’ sector, such as processing children’s or health data, the code may contain more demanding requirements.

Adhering to a code of conduct can help you to:

  • be more transparent and accountable - enabling businesses or individuals to distinguish which processing activities, products, and services meet GDPR data protection requirements and they can trust with their personal data;
  • have a competitive advantage;
  • create effective safeguards to mitigate the risk around data processing and the rights and freedoms of individuals;
  • help with specific data protection areas, such as international transfers;
  • improve standards by establishing best practice;
  • mitigate against enforcement action; and
  • demonstrate that you have appropriate safeguards to transfer data to countries outside the EU.

What are the practical implications for our organisation?

  • You can sign up to a code of conduct relevant to your data processing activities or sector. This could be an extension or an amendment to a current code, or be a brand new code.
  • When you sign up to a code of conduct, you will need to demonstrate to the code’s monitoring body, that you meet the code’s requirements. These requirements will reflect your sector and size of organisation.
  • Your customers will be able to view your code membership via the code’s webpage, the ICO’s public register of UK approved codes of conduct and the EDPB’s public register for all codes of conduct in the EU.
  • Once you are assessed as adhering to the code, your compliance with the code will be monitored on a regular basis. This monitoring provides assurance that the code can be trusted. Your membership can be withdrawn if you no longer meet the requirements of the code, and the monitoring body will notify us of this.
  • You can help reduce the risk of a fine by signing up to a code of conduct. This is because adherence to a code of conduct will serve as a mitigating factor when a supervisory authority is considering enforcement action via an administrative fine.
  • When contracting work to third parties, you may wish to consider whether they have signed up to a code of conduct, as part of meeting your due diligence requirements under the GDPR.

European Data Protection Board

The European Data Protection Board (EDPB), which has replaced the Article 29 Working Party (WP29), includes representatives from the data protection authorities of each EU member state. It adopts guidelines for complying with the requirements of the GDPR.

The EDPB are drafting guidelines on codes of conduct and monitoring bodies to cover the provisions in Articles 40-1 and on codes of conduct as appropriate safeguards for international transfers of personal data (Article 46(2)(e)).