So – what is a Code of Conduct?
Article 40 of the GDPR refers to the use of codes of conduct in order to contribute to the proper application of the GDPR, taking into account specific features of the various processing sectors and specific needs of micro, small and medium-sized enterprises.
The ICO has now issued guidelines in relation to use of codes of conduct covering UK processing. Whilst the ICO are not responsible for drafting codes of conduct, they are responsible for approving all codes drafted by trade associations or other bodies representing a sector. Trade associations and other representative bodies can produce sector specific codes, in consultation with relevant stakeholders from within their sector and using input from the public, where appropriate. This should help to provide guidance for data controllers and processors within specific sectors and clear up areas of uncertainty which may exist. Having such codes in place should also provide a more cost effective way to ensure compliance with GDPR within a sector by providing sector specific guidance.
The ICO will publish all approved codes and maintain a public register of all UK codes.
For codes which cover more than one EU country, the ICO will submit the code to the European Data Protection Board who then submits their opinion to the European Commission for their final decision on the validity of the code in question.
Codes of conduct should address a number of key areas for the sector in question. Examples of the type of information they may cover includes:
Advantages of signing up to a Code of Conduct
There are a number of advantages for an organization signing up to an approved code of conduct.
Implications of becoming a code of conduct member
Signing up to a code of conduct is not a matter of simply ticking a box and paying a fee. Before an organization can become a member of a code of conduct, they must first demonstrate that they meet the code’s requirements before they can sign up to it. An assessment will take place to establish whether they do indeed meet all requirements. Once signed up to a code of conduct, customers can see proof of an organization’s membership via the code’s webpage and also the ICO’s publish register of approved codes. Adherence to the code is an ongoing obligation and an organisation shall be monitored on a regular basis. If that monitoring shows that an organization no longer meets the requirements of the Code, membership shall be withdrawn and the ICO shall be informed by the monitoring body.
Overall, membership to an approved code of conduct can bring a number of benefits to an organization. Membership and proof of continued adherence to the terms of the code should increase customer and consumer trust and improve relationships, and as a consequences by very useful business tool for organizations moving forward.