The GDPR provides two ways in which certain organisations can demonstrate that their processing of personal data is compliant with data protection laws, thereby satisfying the accountability requirement under the GDPR: Codes of Conduct and Certifications Schemes.
While each of these procedures is voluntary, organisations have been prevented from attempting to use them up until now as the administrative framework for gaining the requisite approval from the ICO of a proposed code or scheme has not been ready.
The good news is that these processes are now open: as of 27 February 2020, organisations can submit their proposals for a GDPR code of conduct or certification scheme criteria to the ICO for their approval.
In practice though, controllers and processors must continue to be patient as there are currently no approved codes or schemes out there.
- Accountability is one of the data protection principles, requiring organisations to demonstrate their compliance with data protection laws.
- Codes of Conduct and Certification schemes should both be useful voluntary accountability tools, once up and running.
- Codes of Conduct can be used by organisations such as trade, membership or professional bodies to set out practical ways in which individual members of the organisation can comply with data protection laws, in light of the data protection issues specific to their sector or businesses. Once a Code of Conduct has been approved by the ICO, individual members of the organisation will be able to sign up to it to help demonstrate their compliance with data protection legislation. Adherence to the approved Code will be monitored by a monitoring body, which will also have been approved by the ICO.
- In its new Guidance on Codes of Conduct, the ICO describes its role, which is to:
- provide advice and guidance to bodies considering or developing a code;
- check that codes meet the code criteria set out below;
- accredit (approve) monitoring bodies;
- approve and publish codes of conduct; and
- maintain a public register of all approved UK codes of conduct.
- As for Certification, this tool will allow businesses to demonstrate their compliance with data protection laws in respect of specific processing activities that are covered by a certification scheme. Organisations will be able to use certification to build trust in their business and to demonstrate compliance to their customers and contractors. In particular, the GDPR states that certification can be used to assist in compliance with data security, privacy by design and international transfer obligations.
- In its new Guidance on Certification Schemes, the ICO describes the UK certification framework as follows:
- The ICO will publish accreditation requirements for certification bodies to meet;
- The UK’s national accreditation body, UKAS, will accredit certification bodies and maintain a public register;
- The ICO will approve and publish certification criteria;
- Accredited certification bodies will issue certification against those criteria; and
- Controllers and processors will apply for certification and use it to demonstrate compliance.
- Codes of Conduct and Certification Schemes are not a ‘one size fits all’ solution: they will not be relevant to all organisations. They will apply to processing within specific industries, or to specific processing activities.
Codes of conduct and certification schemes are a welcome and useful addition to the methods available to businesses to satisfy the accountability principle. Many sectors are faced with specific data protection issues, particularly when it comes to the processing of special category data. ICO approved norms for addressing these issues, which are codified and then used across a sector will improve compliance across the industry and ensure a level playing field for data protection compliance amongst competing businesses.
Certification too will be useful once it is available. It may allow consumers to quickly check that an organisation can be trusted to use their personal data for certain purposes. It is also likely to form part of the due diligence carried out on a proposed processor or sub-processor, and may feature as a requirement in data processing agreements where a relevant certification scheme is available.
Sian Barr is a Senior Associate in the commerce & technology team at City law firm Fox Williams LLP and can be contacted at firstname.lastname@example.org