GDPR Codes of Conduct and Certifications in the UK

The advent of the GDPR, over two years ago, brought about a raft of well documented obligations for organisations processing personal dataInformation which relates to an identified or identifiable natural person..... At the very centre of these changes is the accountability requirement, which aims to move controllers and processors away from a ‘one time fix’ approach and towards data protection compliance becoming ‘business as usual’. 

By way of assistance with this task, the GDPR includes the potential for Codes of Conduct (“Codes”) and Certification schemes to be used as mechanisms for improving and demonstrating compliance. Until now these have languished on the drawing board, but recently the ICO has taken steps to breathe life into these schemes by inviting organisations to submit their proposed industry-specific codes and certification for assessment and approval.  

What are Codes of Conduct and Certifications? 

Codes of Conduct and Certifications are mandated under the GDPR and are designed to help both data controllers and processers demonstrate and evidence GDPR compliance and best practices. Both are important voluntary accountability tools. 

Codes are provisions which help organisations – such as trade, membership or professional bodies – to support compliance with data protection issues identified or specific to their sector. 

Certification is a separate provision that will give organisations a tool they can use to enhance trust in their processing practices, as well as demonstrating their commitment to compliance with their customers. 

How much do they cost? 

As the processA series of actions or steps taken in order to achieve a particular end.... is still under development with the ICO, it is difficult to estimate what the costs of these schemes will be. The businesses and industry bodies who apply, and receive approval, from the ICO and UKAS (the UK’s national accreditation body) to administer certification will dictate the costs of certifying and monitoring organisations who subscribe to these schemes. However, it’s likely that each mechanism will attract the usual supplementary costs associated with aligning to the approved schemes and implementing the necessary controls to enable compliance prior to certification.  

Who monitors Codes and approves Certifications? 

Monitoring of Codes must be done by an ICO accredited organisation, often these will be existing regulatory bodies from the applicable sector looking to approve and regulate a code for members to sign-up to, possibly an extension of an existing industry code adapted to align with the GDPR.  

Certification can be issued by accredited certification bodies. The Certification schemes must be approved by the ICO, and UKAS will assess the audit methodology and suitability of the certification body prior to granting accreditation. Accreditations for certification bodies are expected to last for a maximum of five years and are subject to renewals, as well as withdrawals in cases where conditions for the accreditation are no longer met. 

What are the differences between the two? 

Codes of Conduct are a good way of developing sector-specific guidelines to help with compliance under the GDPR. Approval is very specific and follows a strict 9-point criteria and trade associations and other representative bodies may draw up codes that identify and address data protection issues, with the advice and support of the ICO. 

Trade associations and other representative bodies are responsible for the codes at all times.  This includes submitting the draft codes to the ICO for approval and providing the monitoring method and a monitoring body to deliver them. Any Code submitted to cover non-public organisations must identify a monitoring body to undergo an accreditation process with the ICO.  This process is to prove they have the ability, expertise and resources to monitor the relevant Code and its signatories, and with the expected independence and authority. 

The ICO will also support organisations who approach the ICO with a proposal for a Code of Conduct and will publish approved GDPR Codes of Conduct. 

What are the benefits of Codes? 

• • Demonstrates that you are agreeing to follow good data protection practices within your sector; 
  • Addresses the type of processing you are carrying out and the associated level of risk; 

• • Greater level of transparency and accountability; 
  • Promotes confidence and creates effective safeguards to mitigate the risk around processing activities; 
  • Builds and earns trust and confidence of data subjects and promotes their rights and freedoms; 
  • Helps with specific data protection areas, such as breach notification and privacy by design; and 
  • Improves the trust and confidence in your organisation’s compliance with GDPR. 

At the time of writing, the ICO has yet to formally approve any Codes of Conduct, although other supervisory authorities across the EU have begun approving codes in industry sectors such as consumer credit and other regulatory areas. 

Certifications are a way of demonstrating that processing of personal data complies with the GDPR requirements.  

Certifications are expected to be valid for a maximum of three years, subject to periodic review and can be withdrawn if you no longer meet the certification criteria or in the event of sanctions being imposed by the ICO. 

Approved certificates will be made available on a public register of certificates and do not reduce data protection responsibilities outside the certified processing activity. 

Certifications approval follows a strict and specific 13-point criteria and these conditions are outlined in more detail in EDPB  ‘Guidelines 1/2018 on certification and identifying certification criteria in accordance with Articles 42 and 43 of the Regulation’  and ICO  detailed guidance. 

Once your organisation has been successfully assessed by the accredited certification body, you will be issued with a data protection certificate, seal or mark relevant to that scheme. 

What can be certified? 

According to the current ICO guidance regarding the scheme, the scope of certification: 

• • Could include a variety of different products, processes or services offered by a controller or processer; 
  • Can be specific e.g. secure storage and protection of personal data contained within a digital vault; 

• • Cannot relate to an organisation as a whole; and 
  • Cannot be used to certify individuals, for example data protection officers. 

What are the benefits of Certifications? 

• • Greater transparency and accountability; 
  • Improve standards by establishing best practice; 

• • Mitigate against enforcement action (providing the standards of Certification have been upheld. The ICO has indicated that it will take any such standards and potential non-compliance into consideration during enforcement proceedings); 
  • Can help with due diligence of third parties; and 
  • May assist in providing an additional safeguard for controllers and processors exporting data from the EU. Article 42 (2) allows for the use of certification schemes as a mechanism for demonstrating sufficient safeguards are in place for any organisation not subject to the GDPR for the purposes of international data transfers. 

This final potential benefit of Certification may prove to be a welcome string to the bow of data exporting organisations who are currently relying on the commonly used Standard Contractual ClausesStandard contractual clauses are legal tools to provide adequate safeguards for data transfers from the EU or the European Economic Area to third countries.... as their chosen safeguard, especially given the recent striking down of the EU/US Privacy ShieldCertification scheme, currently operational with the US, which places requirements on companies to protect personal data and provide appropriate redress for individuals.....  Having a further option to legitimise transfers will be of great benefit and may prove beneficial in ironing out some of the issues likely to occur at the end of the transition period regarding the UK’s exit from the EU. 

Where can I find more guidance? 

For additional guidance on Codes see this link, which also contains guidance on how you can become an approved Monitoring Body. 

For additional guidance on Certifications see this link, which also contains guidance on how you can become an approved Certification Body.