So – what is a Code of Conduct?
Article 40 of the GDPR refers to the use of codes of conduct in order to contribute to the proper application of the GDPR, taking into account specific features of the various processing sectors and specific needs of micro, small and medium-sized enterprises.
The ICO has now issued guidelines in relation to use of codes of conduct covering UK processing. Whilst the ICO are not responsible for drafting codes of conduct, they are responsible for approving all codes drafted by trade associations or other bodies representing a sector. Trade associations and other representative bodies can produce sector specific codes, in consultation with relevant stakeholders from within their sector and using input from the public, where appropriate. This should help to provide guidance for data controllers and processors within specific sectors and clear up areas of uncertainty which may exist. Having such codes in place should also provide a more cost effective way to ensure compliance with GDPR within a sector by providing sector specific guidance.
The ICO will publish all approved codes and maintain a public register of all UK codes.
For codes which cover more than one EU country, the ICO will submit the code to the European Data Protection Board who then submits their opinion to the European Commission for their final decision on the validity of the code in question.
Codes of conduct should address a number of key areas for the sector in question. Examples of the type of information they may cover includes:
- fair and transparent processing;
- legitimate interests pursued by controllers in specific contexts;
- the collection of personal data;
- the pseudonymisation of personal data;
- the information provided to individuals and the exercise of individuals’ rights;
- the information provided to and the protection of children (including mechanisms for obtaining parental consent);
- technical and organisational measures, including data protection by design and by default and security measures;
- breach notification;
- data transfers outside the EU; and
- dispute resolution procedures.
Advantages of signing up to a Code of Conduct
There are a number of advantages for an organization signing up to an approved code of conduct.
- Enabling transparency and accountability
- Having a competitive advantage by showing that you comply with an approved code
- Creating effective safeguards to mitigate risks involved in processing personal data
- Helping to deal with data protection issues specific to the sector in question such as international transfers of personal data
- Improving standards by establishing best practice
- Mitigating against enforcement action (note that adherence to a code of conduct will serve as a mitigating factor when a supervisory authority is considering enforcement action via an administrative fine); and
- Improving relationships with third parties – other organizations may look for membership to sector specific codes of conduct exist as part of a due diligence process.
- Demonstrating that your organization has appropriate safeguards in place for transferring to countries outside the EU
Implications of becoming a code of conduct member
Signing up to a code of conduct is not a matter of simply ticking a box and paying a fee. Before an organization can become a member of a code of conduct, they must first demonstrate that they meet the code’s requirements before they can sign up to it. An assessment will take place to establish whether they do indeed meet all requirements. Once signed up to a code of conduct, customers can see proof of an organization’s membership via the code’s webpage and also the ICO’s publish register of approved codes. Adherence to the code is an ongoing obligation and an organisation shall be monitored on a regular basis. If that monitoring shows that an organization no longer meets the requirements of the Code, membership shall be withdrawn and the ICO shall be informed by the monitoring body.
Overall, membership to an approved code of conduct can bring a number of benefits to an organization. Membership and proof of continued adherence to the terms of the code should increase customer and consumer trust and improve relationships, and as a consequences by very useful business tool for organizations moving forward.