Two ways in which firms and organisations can show accountability under the General Data Protection Regulation (GDPR) are by developing their own voluntary Code of Conduct and/or a Certification Scheme.

However, the Information Commissioner’s Office (ICO), highlights that this is not something every firm could do, and the data protection regulator says that, on this topic, it only wants to hear from:

  • Firms and other organisations that are in a position to represent a group of firms or organisations, or
  • Firms and other organisations that have expertise in developing data protection certification criteria

On February 28, the ICO published guidance on Codes of Conduct and Certification. The ICO is also now in a position to receive applications from firms and to consider whether to approve these.

The idea of having a documented Code of Conduct and Certification Scheme might, for example, appeal to a trade association or similar body. These procedures might address data protection issues that are important to the association’s members, such as fair and transparent processing. By developing sector-specific guidelines in this way, it can help to build public trust and confidence in the relevant business sector’s ability to comply with data protection laws.

Important issues that need to be covered in a Code of Conduct include:

  • The types of data the organisation handles
  • The key data protection risks faced by the organisation
  • Whether the organisation is UK-based or processes data in more than one country
  • How the organisation will monitor compliance with the Code and investigate breaches of the Code
  • Details of any consultation exercise the organisation has carried out with firms, customers and other stakeholders

Codes that have been approved by the ICO will be published on the regulator’s website

A certification scheme must explain:

  • The legal basis for processing data
  • The rights of data subjects
  • The obligations to report data breaches
  • Details of any Data Protection Impact Assessments

Other mandatory characteristics of certification schemes include:

  • They must be relevant to the target audience
  • They must be capable of being used in small and medium-sized firms

Approved certification schemes will be listed on a public register.

Ian Hulme, ICO Director of Regulatory Assurance, said:

“I would encourage any organisation that can speak on behalf of a group of organisations, or who has expertise in developing standards or certification criteria, to have a look at our guidance and speak to us about developing a GDPR Code of Conduct or Certification scheme.

“Both mechanisms are a really good way for organisations to show their commitment to complying with data protection legislation and ultimately, build public trust and confidence in their organisation.”


The information shown in this article was correct at the time of publication. Articles are not routinely reviewed and as such are not updated. Please be aware the facts, circumstances or legal position may change after publication of the article