• Contact DPO Centre
  • 0203 797 1289
  • hello@dpocentre.com
DPO CentreDPO CentreDPO CentreDPO Centre
  • * Join Us *
  • Services
    • Outsourced Data Protection Officer
    • Article 27 EU and UK Representation
    • Consultancy
    • Interim Support Services
    • Return-to-Work Compliance Check
    • Training
    • Advice Line
    • The Data Security and Protection Toolkit (DSPT) Audit
    • Caldicott Guardian
    • Services for Schools
  • Sectors
    • Finance &
      Insurance
    • Medical &
      Healthcare
    • Software &
      Technology
    • Retail &
      eCommerce
    • Education
    • Charities &
      not-for profit
  • Case Studies
  • About Us
    • About Us
    • Our Team
    • Benefits of Outsourcing
    • *Join the Team*
    • Events
    • News
  • Blog
  • Resources
    • UK Data Protection Index
    • DSAR White Paper
    • COVID-19 Remote Working Tips
    • GDPR Basics
    • Why you need a Data Protection Officer
    • Why you need GDPR Representation
    • GDPR Policy Toolkit
    • The impact of Brexit on GDPR
    • Christmyths
    • The Full GDPR Text
  • Contact us
  • Home
  • Data Protection
  • GDPR Codes of Conduct and Certifications in the UK
Video conferencing
Video conferencing – Tips to mitigate risk
July 3, 2020
markting emails
Marketing Emails: The Fine Line Between a Service and Sales Message
August 10, 2020

GDPR Codes of Conduct and Certifications in the UK

July 27, 2020
Categories
  • Data Protection
  • Data Sharing
  • GDPR
Tags
GDPR Codes of Conduct and Certifications in the UK

The advent of the GDPR, over two years ago, brought about a raft of well documented obligations for organisations processing personal dataInformation which relates to an identified or identifiable natural person..... At the very centre of these changes is the accountability requirement, which aims to move controllers and processors away from a ‘one time fix’ approach and towards data protection compliance becoming ‘business as usual’. 

By way of assistance with this task, the GDPR includes the potential for Codes of Conduct (“Codes”) and Certification schemes to be used as mechanisms for improving and demonstrating compliance. Until now these have languished on the drawing board, but recently the ICO has taken steps to breathe life into these schemes by inviting organisations to submit their proposed industry-specific codes and certification for assessment and approval.  

 

What are Codes of Conduct and Certifications? 

Codes of Conduct and Certifications are mandated under the GDPR and are designed to help both data controllers and processers demonstrate and evidence GDPR compliance and best practices. Both are important voluntary accountability tools. 

Codes are provisions which help organisations – such as trade, membership or professional bodies – to support compliance with data protection issues identified or specific to their sector. 

Certification is a separate provision that will give organisations a tool they can use to enhance trust in their processing practices, as well as demonstrating their commitment to compliance with their customers. 

 

How much do they cost? 

As the processA series of actions or steps taken in order to achieve a particular end.... is still under development with the ICO, it is difficult to estimate what the costs of these schemes will be. The businesses and industry bodies who apply, and receive approval, from the ICO and UKAS (the UK’s national accreditation body) to administer certification will dictate the costs of certifying and monitoring organisations who subscribe to these schemes. However, it’s likely that each mechanism will attract the usual supplementary costs associated with aligning to the approved schemes and implementing the necessary controls to enable compliance prior to certification.  

 

Who monitors Codes and approves Certifications? 

Monitoring of Codes must be done by an ICO accredited organisation, often these will be existing regulatory bodies from the applicable sector looking to approve and regulate a code for members to sign-up to, possibly an extension of an existing industry code adapted to align with the GDPR.  

Certification can be issued by accredited certification bodies. The Certification schemes must be approved by the ICO, and UKAS will assess the audit methodology and suitability of the certification body prior to granting accreditation. Accreditations for certification bodies are expected to last for a maximum of five years and are subject to renewals, as well as withdrawals in cases where conditions for the accreditation are no longer met. 

 

What are the differences between the two? 

Codes of Conduct are a good way of developing sector-specific guidelines to help with compliance under the GDPR. Approval is very specific and follows a strict 9-point criteria and trade associations and other representative bodies may draw up codes that identify and address data protection issues, with the advice and support of the ICO. 

Trade associations and other representative bodies are responsible for the codes at all times.  This includes submitting the draft codes to the ICO for approval and providing the monitoring method and a monitoring body to deliver them. Any Code submitted to cover non-public organisations must identify a monitoring body to undergo an accreditation process with the ICO.  This process is to prove they have the ability, expertise and resources to monitor the relevant Code and its signatories, and with the expected independence and authority. 

The ICO will also support organisations who approach the ICO with a proposal for a Code of Conduct and will publish approved GDPR Codes of Conduct. 

 

What are the benefits of Codes? 

    • Demonstrates that you are agreeing to follow good data protection practices within your sector; 
    • Addresses the type of processing you are carrying out and the associated level of risk; 
    • Greater level of transparency and accountability; 
    • Promotes confidence and creates effective safeguards to mitigate the risk around processing activities; 
    • Builds and earns trust and confidence of data subjects and promotes their rights and freedoms; 
    • Helps with specific data protection areas, such as breach notification and privacy by design; and 
    • Improves the trust and confidence in your organisation’s compliance with GDPR. 

At the time of writing, the ICO has yet to formally approve any Codes of Conduct, although other supervisory authorities across the EU have begun approving codes in industry sectors such as consumer credit and other regulatory areas. 

Certifications are a way of demonstrating that processing of personal data complies with the GDPR requirements.  

Certifications are expected to be valid for a maximum of three years, subject to periodic review and can be withdrawn if you no longer meet the certification criteria or in the event of sanctions being imposed by the ICO. 

Approved certificates will be made available on a public register of certificates and do not reduce data protection responsibilities outside the certified processing activity. 

Certifications approval follows a strict and specific 13-point criteria and these conditions are outlined in more detail in EDPB  ‘Guidelines 1/2018 on certification and identifying certification criteria in accordance with Articles 42 and 43 of the Regulation’  and ICO  detailed guidance. 

Once your organisation has been successfully assessed by the accredited certification body, you will be issued with a data protection certificate, seal or mark relevant to that scheme. 

 

What can be certified? 

According to the current ICO guidance regarding the scheme, the scope of certification: 

    • Could include a variety of different products, processes or services offered by a controller or processer; 
    • Can be specific e.g. secure storage and protection of personal data contained within a digital vault; 
    • Cannot relate to an organisation as a whole; and 
    • Cannot be used to certify individuals, for example data protection officers. 

 

What are the benefits of Certifications? 

    • Greater transparency and accountability; 
    • Improve standards by establishing best practice; 
    • Mitigate against enforcement action (providing the standards of Certification have been upheld. The ICO has indicated that it will take any such standards and potential non-compliance into consideration during enforcement proceedings); 
    • Can help with due diligence of third parties; and 
    • May assist in providing an additional safeguard for controllers and processors exporting data from the EU. Article 42 (2) allows for the use of certification schemes as a mechanism for demonstrating sufficient safeguards are in place for any organisation not subject to the GDPR for the purposes of international data transfers. 

 

This final potential benefit of Certification may prove to be a welcome string to the bow of data exporting organisations who are currently relying on the commonly used Standard Contractual ClausesStandard contractual clauses are legal tools to provide adequate safeguards for data transfers from the EU or the European Economic Area to third countries.... as their chosen safeguard, especially given the recent striking down of the EU/US Privacy ShieldCertification scheme, currently operational with the US, which places requirements on companies to protect personal data and provide appropriate redress for individuals.....  Having a further option to legitimise transfers will be of great benefit and may prove beneficial in ironing out some of the issues likely to occur at the end of the transition period regarding the UK’s exit from the EU. 

 

Where can I find more guidance? 

For additional guidance on Codes see this link, which also contains guidance on how you can become an approved Monitoring Body. 

For additional guidance on Certifications see this link, which also contains guidance on how you can become an approved Certification Body. 

Enquire

Fill in your details below and we’ll get back to you as soon as possible

Alternatively click one of the options below to speak to us

 

Email Call

Share

Related posts

EUDP Guidance Controller Processor Blog
January 11, 2021

Updated EDPB Guidance on Controllers and Processors – Part 1


Read more
December 28, 2020

The DPO Centre’s Research Results – 7 steps for handling customer data


Read more
Accountability guidance blog part 3
December 11, 2020

ICO Accountability Framework: Part 3


Read more

Contact us

The DPO Centre Ltd
Head Office: 50 Liverpool Street, London, EC2M 7PR
The DPO Centre (Europe): Alexandra House, 3 Ballsbridge Park, Dublin, D04 C7H2, Ireland
Registered Office: Suffolk Enterprise Centre, Felaw Street, Ipswich, IP2 8SJ
Telephone: +44 (0) 203 797 1289
Company Number: 10874595 VAT: GB 275694357

More information

  • Contact us
  • Sitemap
  • Privacy Policy
  • Cookie Notice

 

© 2020 DPO Centre. All Rights Reserved.