Certifications and Codes of Conduct
Certification schemes exist to encourage and demonstrate compliance with data protection standards. GDPR Article 43 sets the criteria and procedure for accrediting certification bodies. Article 43(1) requires the Member States to ‘ensure’ that certification bodies are accredited by a supervisory authority.
Both the GDPR and the UK DPA 2018 provide that the ICO can act as an accreditation body for certification providers. The UKDPA 2018 provides specific rules, whereby accreditation is only valid when provided by the ICO or the UKAS, national accreditation body. The ICO and the UKAS may only accredit a person as a certification provider where:
- the ICO (or UKAS respectively) has published a statement where it says it will carry out such accreditation; and
- the ICO (or UKAS respectively) has not published a note withdrawing said statement
The ICO has clarified that the certification framework will involve:
- the ICO publishing accreditation requirements for certification bodies to meet;
- the UK’s national accreditation body, UKAS, accrediting certification bodies and maintaining a public register;
- the ICO approving and publishing certification criteria for certification schemes;
- accredited certification bodies (third party assessors) issuing certification; and
- controllers and processors applying for certification and using certifications.
The ICO has no plans to accredit certification bodies or carry out certification at this time, although the GDPR does allow this.
UK Certification Resources
Codes of Conduct
The GDPR Art. 40 recommends for organizations to use Codes of Conduct as a voluntary tool for proper and effective GDPR application. Codes of conduct should be tailored to reflect specific needs of various sectors and sizes of organizations. Trade associations or bodies representing a sector can create codes of conduct to help their sector comply with the GDPR in an efficient and cost-effective way. Furthermore, Codes of Conduct are a strong accountability and compliance indicator towards the ICO, public, and business partners.
The ICO has provided the following guidance on the Codes of Conduct so far:
How to Submit?
Trade associations or bodies representing a sector can create codes of conduct, in consultation with relevant stakeholders, including the public where feasible. They can amend or extend existing codes to comply with the GDPR requirements. They then have to submit the draft code to the ICO for approval.
ICO has clarified that it will assess whether a monitoring body is independent and has expertise in the subject matter or sector. Approved bodies will monitor compliance with the code (except for codes covering public authorities) and help ensure that the code is appropriately robust and trustworthy.
The ICO further stated that it will:
- check that codes covering UK processing include appropriate safeguards;
- set out the monitoring body accreditation criteria;
- accredit monitoring bodies;
- approve and publish the Codes of Conduct; and
- maintain a public register of all approved UK codes.
What to Include?
The content of Codes of Conduct should follow the requirements under the Art. 40, most importantly it should cover the suggested topics in Art. 40(2):
- fair and transparent processing;
- legitimate interests pursued by controllers in specific contexts;
- the collection of personal data;
- the pseudonymization of personal data;
- the information provided to individuals and the exercise of individuals’ rights;
- the information provided to and the protection of children (including mechanisms for obtaining parental consent);
- technical and organizational measures, including data protection by design and by default and security measures;
- breach notification;
- data transfers outside the EU; or
- dispute resolution procedures.
EU-Wide Codes of Conduct
If a code covers more than one EU country, the relevant supervisory authority will submit it to the European Data Protection Board (EDPB), who will submit their opinion on the code to the European Commission. The Commission may decide that a code is valid across all EU countries. If a code covers personal data transfers to countries outside of the EU, the European Commission can use legislation to give a code general validity within the Union. The ICO is not planning on issuing any guidance on Codes of Conduct prior to the EDPB Guidelines on Codes of Conduct and Certification are finalized.
UK Codes of Conduct Resources
Certifications and Codes of Conduct
Certification schemes and Codes of conduct are established under the GDPR and UK domestic law as an accountability element to demonstrate the organizations’ compliance with privacy laws and to facilitate data transfers or vendor management.
Last Updated: July 30, 2019
OneTrust is the #1 most widely used privacy, security and third-party risk technology platform trusted by more than 3,000 companies to comply with the CCPA, GDPR, ISO27001 and hundreds of the world’s privacy and security laws. OneTrust's three primary offerings include OneTrust Privacy Management Software, OneTrust PreferenceChoice™ consent and preference management software, and OneTrust Vendorpedia™ third-party risk management software and vendor risk exchange. To learn more, visit OneTrust.com or connect on LinkedIn, Twitter and Facebook.