ICO Codes of Conduct

10 May 2019


Under the GDPR, trade associations and representative bodies may draw up codes of conduct that cover topics important to their members, such as fair and transparent processing, pseudonymisation or the exercise of people’s rights. This is a great way of providing sector-specific guidance about data protection law.


The Information Commissioner's Office (ICO) submission process for Code of Conduct approval will open following the approval of European Data Protection Board guidelines (due Autumn 2019). However, in the meantime, the ICO is welcoming enquiries from representative organisations who are considering developing codes of conduct and will offer support and guidance. You can contact the ICO by email at [email protected].


Why sign up to a code of conduct?


Adhering to a code of conduct shows that you:

  • Follow GDPR requirements for data protection that have been agreed as good practice within your sector
  • Are appropriately addressing the type of processing you are doing and the related level of risk. An example is a code may contain more demanding requirements when it relates to the processing of sensitive special category personal data

Adhering to a code of conduct could help you to:

  • Be more transparent and accountable
  • Take into account the specific requirements of processing carried out in a sector and improve standards by following best practice in a cost-effective way
  • Promote confidence and in a sector by creating effective safeguards to mitigate the risk around processing activities
  • Earn the trust and confidence of data subjects and promote the rights and freedoms of individuals
  • Help with specific data protection areas, such as breach notification and privacy by design
  • Demonstrate that you have appropriate safeguards to transfer data to countries outside the EU
  • Improve the trust and confidence in your organisation’s compliance with GDPR and of the general public about what happens to their personal data


What should a code of conduct address?

Codes of conduct should help you to comply with the GDPR and may cover topics such as fair and transparent processing, legitimate interests, pseudonymisation or alternative, appropriate data protection processing issues.


Codes of conduct should reflect the specific needs of controllers and processors in small and medium enterprises and help them to work together to apply GDPR requirements to specific issues that they face.


Codes should provide added value for their sector, as they will tailor the GDPR requirements to the sector or area of data processing. They could be a cost-effective means to enable compliance with GDPR for a sector and its members.

Who is responsible for codes of conduct?


Trade associations or other bodies representing controllers or processors can create a code of conduct in consultation with relevant stakeholders, including the public where feasible. They can amend or extend existing codes to comply with GDPR requirements.


Visit the ICO’s website for further information on Codes of Conduct.