ICO Codes of Conduct

10 May 2019

Under the GDPR, trade associations and representative bodies may draw up codes of conduct that cover topics important to their members, such as fair and transparent processing, pseudonymisation or the exercise of people’s rights. This is a great way of providing sector-specific guidance about data protection law.

The Information Commissioner's Office (ICO) submission process for Code of Conduct approval will open following the approval of European Data Protection Board guidelines (due Autumn 2019). However, in the meantime, the ICO is welcoming enquiries from representative organisations who are considering developing codes of conduct and will offer support and guidance. You can contact the ICO by email at [email protected].

Why sign up to a code of conduct?

Adhering to a code of conduct shows that you:

Follow GDPR requirements for data protection that have been agreed as good practice within your sector
Are appropriately addressing the type of processing you are doing and the related level of risk. An example is a code may contain more demanding requirements when it relates to the processing of sensitive special category personal data

Adhering to a code of conduct could help you to:

Be more transparent and accountable
Take into account the specific requirements of processing carried out in a sector and improve standards by following best practice in a cost-effective way
Promote confidence and in a sector by creating effective safeguards to mitigate the risk around processing activities
Earn the trust and confidence of data subjects and promote the rights and freedoms of individuals
Help with specific data protection areas, such as breach notification and privacy by design
Demonstrate that you have appropriate safeguards to transfer data to countries outside the EU
Improve the trust and confidence in your organisation’s compliance with GDPR and of the general public about what happens to their personal data

What should a code of conduct address?

Codes of conduct should help you to comply with the GDPR and may cover topics such as fair and transparent processing, legitimate interests, pseudonymisation or alternative, appropriate data protection processing issues.

Codes of conduct should reflect the specific needs of controllers and processors in small and medium enterprises and help them to work together to apply GDPR requirements to specific issues that they face.

Codes should provide added value for their sector, as they will tailor the GDPR requirements to the sector or area of data processing. They could be a cost-effective means to enable compliance with GDPR for a sector and its members.

Who is responsible for codes of conduct?

Trade associations or other bodies representing controllers or processors can create a code of conduct in consultation with relevant stakeholders, including the public where feasible. They can amend or extend existing codes to comply with GDPR requirements.

Visit the ICO’s website for further information on Codes of Conduct.

More news

CIPP quick poll

What pension tasks are you responsible for?

Pension contributions i.e. workplace pensions

Best practise on pensioner payrolls

Talking to your employees about pensions

Good governance around employer decision making on pensions

Managing early retirement in all its forms

Deciding on workplace pensions strategy

Protecting pensions and reassurances about pensions promises

Tasks when changing pension schemes

Pensions tax rules

Other, please provide additional details

*denotes a mandatory field

ICO Codes of Conduct

Also of interest

Related news

Devolution: payroll legislation matrix

28 March 2024

New ICO SARs Q&A for employers

27 June 2023

Impact of the data reform bill on payroll professionals

21 June 2022

The CIPP in numbers

9.5k+

2,800+

15k+

10