Guidance on GDPR Codes of Conduct and Certification schemes published by ICO

March 2, 2020

The ICO has published guidance for organisations wanting to develop GDPR Codes of Conduct or Certification schemes. Organisations can submit their proposals for GDPR codes of conduct or certification scheme criteria to the ICO for approval. The services aim to help both data controllers and processors demonstrate compliance with the GDPR.

Codes of conduct

Under the GDPR, trade associations and other representative bodies may draw up codes of conduct that identify and address data protection issues that are important to their members, such as fair and transparent processing, pseudonymisation or the exercise of people’s rights. The ICO sees them as a  good way of developing sector-specific guidelines to help with compliance with the GDPR. The ICO also says that there is a real benefit to developing a code of conduct as it can help to build public trust and confidence in a given sector’s ability to comply with data protection laws.

The ICO is committed to encouraging the development of codes of conduct and will provide advice and support on meeting the necessary criteria, the requirements of the GDPR, and complex areas of data protection. Following submission to the European Data Protection Board (EDPB) Plenary, in December 2019, the UK code of conduct monitoring body accreditation requirements were finalised. This means that the ICO can now accredit monitoring bodies and approve GDPR codes of conduct.

By signing up to a code of conduct, controllers and processors can ensure they apply the GDPR effectively and in doing so establish operational norms in compliance that ultimately should assist in bringing down levels of non-compliance. Codes of conduct require a monitoring method, and for private or non-public authorities, a monitoring body to deliver them.

Codes of conduct may cover topics such as fair and transparent processing, legitimate interests, pseudonymisation or alternative, appropriate data protection processing issues. Codes of conduct should also reflect the specific needs of controllers and processors in small and medium enterprises and help them to work together to apply GDPR requirements to specific issues that they face.

Codes should provide added value for their sector, as they will tailor the GDPR requirements to the sector or area of data processing. They could be a cost-effective means to enable compliance with GDPR for a sector and its members.

Trade associations or bodies who are able to speak on behalf of controllers or processors can create a code of conduct. They can amend or extend existing codes to comply with GDPR requirements. They must submit the draft code to the ICO for approval. The ICO will use specific criteria to approve a code of conduct. All codes of conduct must contain suitable methods to allow for effective monitoring of code member compliance and outline appropriate action in cases of infringement. In all cases these methods will need to be clear, suitable and efficient. A code owner will also have to demonstrate how the monitoring body can remain impartial from code members, the profession, industry or sector to which the code applies.

Certification

Certification is a way for an organisation to demonstrate compliance with GDPR. Certification scheme criteria will be approved by the ICO and can cover a specific issue or be more general. Once an accredited certification body has assessed and approved an organisation, it will issue them with a certificate, and a seal or mark relevant to that scheme. 

The GDPR says that certification is also a means to:

  • demonstrate compliance with the provisions on data protection by design and by default (Article 25(3));
  • demonstrate that organisations have appropriate technical and organisational measures to ensure data security (Article 32(3)); and
  • to support transfers of personal data to third countries or international organisations (Article 46(2)(f)).

In the UK the certification framework will involve:

  • the ICO publishing accreditation requirements for certification bodies to meet;
  • the UK’s national accreditation body, UKAS, accrediting certification bodies and maintaining a public register;
  • the ICO approving and publishing certification criteria;
  • accredited certification bodies issuing certification against those criteria; and
  • controllers and processors applying for certification and using it to demonstrate compliance.

The scope of a certification scheme could be quite general and be applied to a variety of different products, processes or services; or it could be specific, for example, secure storage and protection of personal data contained within a digital vault.

The criteria are set out in EDPB Guidelines 1/2018 on certification and identifying certification criteria and the ICO’s detailed guidance. Certification is valid for a maximum of three years, subject to periodic reviews.