The advent of the GDPR, over two years ago, brought about a raft of well documented obligations for organisations processing personal dataInformation which relates to an identified or identifiable natural person.. At the very centre of these changes is the accountabilityPerhaps the most important GDPR principle, which requires controllers to take responsibility for complying with the GDPR and, document their compliance. requirement, which aims to move controllers and processors away from a ‘one time fix’ approach and towards data protection compliance becoming ‘business as usual’.
By way of assistance with this task, the GDPR includes the potential for Codes of Conduct (“Codes”) and Certification schemes to be used as mechanisms for improving and demonstrating compliance. Until now these have languished on the drawing board, but recently the ICOThe United Kingdom’s independent supervisory authority for ensuring compliance with the UK GDPR, Data Protection Act 2018, the Privacy and Electronic Communications Regulations etc. has taken steps to breathe life into these schemes by inviting organisations to submit their proposed industry-specific codes and certification for assessment and approval.
What are Codes of Conduct and Certifications?
Codes of Conduct and Certifications are mandated under the GDPR and are designed to help both data controllers and processers demonstrate and evidence GDPR compliance and best practices. Both are important voluntary accountability tools.
Codes are provisions which help organisations – such as trade, membership or professional bodies – to support compliance with data protection issues identified or specific to their sector.
Certification is a separate provision that will give organisations a tool they can use to enhance trust in their processing practices, as well as demonstrating their commitment to compliance with their customers.
How much do they cost?
As the processA series of actions or steps taken in order to achieve a particular end. is still under development with the ICO, it is difficult to estimate what the costs of these schemes will be. The businesses and industry bodies who apply, and receive approval, from the ICO and UKAS (the UK’s national accreditation body) to administer certification will dictate the costs of certifying and monitoring organisations who subscribe to these schemes. However, it’s likely that each mechanism will attract the usual supplementary costs associated with aligning to the approved schemes and implementing the necessary controls to enable compliance prior to certification.
Who monitors Codes and approves Certifications?
Monitoring of Codes must be done by an ICO accredited organisation, often these will be existing regulatory bodies from the applicable sector looking to approve and regulate a code for members to sign-up to, possibly an extension of an existing industry code adapted to align with the GDPR.
Certification can be issued by accredited certification bodies. The Certification schemes must be approved by the ICO, and UKAS will assess the audit methodology and suitability of the certification body prior to granting accreditation. Accreditations for certification bodies are expected to last for a maximum of five years and are subject to renewals, as well as withdrawals in cases where conditions for the accreditation are no longer met.
Codes of Conduct are a good way of developing sector-specific guidelines to help with compliance under the GDPR. Approval is very specific and follows a strict 9-point criteria and trade associations and other representative bodies may draw up codes that identify and address data protection issues, with the advice and support of the ICO.
Trade associations and other representative bodies are responsible for the codes at all times. This includes submitting the draft codes to the ICO for approval and providing the monitoring method and a monitoring body to deliver them. Any Code submitted to cover non-public organisations must identify a monitoring body to undergo an accreditation process with the ICO. This process is to prove they have the ability, expertise and resources to monitor the relevant Code and its signatories, and with the expected independence and authority.
The ICO will also support organisations who approach the ICO with a proposal for a Code of Conduct and will publish approved GDPR Codes of Conduct.
What are the benefits of Codes?
At the time of writing, the ICO has yet to formally approve any Codes of Conduct, although other supervisory authorities across the EU have begun approving codes in industry sectors such as consumer credit and other regulatory areas.
Certifications are a way of demonstrating that processing of personal data complies with the GDPR requirements.
Certifications are expected to be valid for a maximum of three years, subject to periodic review and can be withdrawn if you no longer meet the certification criteria or in the event of sanctions being imposed by the ICO.
Approved certificates will be made available on a public register of certificates and do not reduce data protection responsibilities outside the certified processing activity.
Certifications approval follows a strict and specific 13-point criteria and these conditions are outlined in more detail in EDPB ‘Guidelines 1/2018 on certification and identifying certification criteria in accordance with Articles 42 and 43 of the Regulation’ and ICO detailed guidance.
Once your organisation has been successfully assessed by the accredited certification body, you will be issued with a data protection certificate, seal or mark relevant to that scheme.
What can be certified?
According to the current ICO guidance regarding the scheme, the scope of certification:
What are the benefits of Certifications?
This final potential benefit of Certification may prove to be a welcome string to the bow of data exporting organisations who are currently relying on the commonly used Standard Contractual ClausesStandard Contractual Clauses are legal tools to provide adequate safeguards for data transfers from the EU or the European Economic Area to third countries. as their chosen safeguard, especially given the recent striking down of the EU/US Privacy ShieldUS Certification scheme, now replaced by Data Privacy Framework.. Having a further option to legitimise transfers will be of great benefit and may prove beneficial in ironing out some of the issues likely to occur at the end of the transition period regarding the UK’s exit from the EU.
Where can I find more guidance?
For additional guidance on Codes see this link, which also contains guidance on how you can become an approved Monitoring Body.
For additional guidance on Certifications see this link, which also contains guidance on how you can become an approved Certification Body.
Fill in your details below and we’ll get back to you as soon as possible