Entrance to RPC building - dark

GDPR Codes of Conduct and Certification schemes – the ICO is “open for business”

Published on 07 August 2020

What is the ICO doing to make it easier for industry specific sectors to comply with GDPR? What is the benefit to businesses in adopting accredited codes of conduct?

The key takeaways

The ICO has formally invited organisations to submit their sector-specific codes of conduct relating to data-protection for its approval. In addition, UK organisations can now apply to the UK’s national accreditation body, UKAS, to be accredited to deliver GDPR Certification schemes. 

The background

The ICO has recognised that the implementation of the GDPR looks different for each sector, due to the variety of businesses data protection law covers. As such, in a move to provide certainty to organisations across multiple sectors that their procedures and policies foster GDPR compliant data handling, the ICO has offered to approve codes of conduct submitted to it. To cater for data controllers and processors across jurisdictions not covered by the GDPR, the GDPR Certification scheme will allow them to certify their safeguards in place to protect international transfers of personal data. 

The guidance

The codes of conduct submitted by trade association and other representative bodies may identify and address data protection issues that are particularly relevant to their members. To encourage the formation of codes of conduct, the ICO is offering advice on meeting the necessary criteria for approval. These criteria include, among other things, the code owner’s ability to represent the data controllers and processors it concerns, the data protection issues it intends to address and the method of monitoring member compliance. Furthermore, the code must specify if it is a national code or covers activities in more than one EU Member State.

If the code of conduct is intended to cover non-public entities, it will have to identify an independent monitoring body to fulfil monitoring requirements. This body must be accredited by the ICO against criteria formally approved by the EDPB. 

In addition, UK organisations can apply to be accredited to deliver GDPR Certification schemes. Once a scheme is in place, data controllers and processors will be able to apply to it for GDPR certification. Once a business has been successfully assessed by the accredited certification body against ICO-approved certification scheme criteria, it will be issued with a data protection certificate, or seal relevant to that scheme. These will validate appropriate safeguards provided by controllers and processors who are not subject to GDPR for the purposes of international personal data transfers. 

However, it’s important to note that the adoption of an approved code of conduct or certification of safeguards does not reduce the responsibility on controllers or processors. 

Why is this important?

These steps not only make it easier for organisations across multiple sectors to demonstrate compliance with GDPR, but also engender further trust between organisations and individuals sharing their data. 

Sector-specific businesses will also have an approved code of conduct to consider, which may entail making changes to existing policies currently in place. Adopting a sector-specific code of conduct will allow businesses to be confident that they comply with GDPR requirements. 

The ICO will take into account participation and non-adherence to a code or scheme when enforcing the GDPR against businesses. 

Any practical tips?

Businesses should consider contacting their trade associations or industry representatives who may be developing a code of conduct intended for ICO approval, with their views. 

It may be more efficient for businesses to adopt the new approved sector-specific code of conduct insofar as it relates to their activities than relying on or upgrading existing policies and procedures.