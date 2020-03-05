The Information Commissioner’s Office (‘ICO’) published, on 28 February 2020, guidance on codes of conduct (‘the Codes of Conduct Guide’) and guidance on certification (‘the Certification Guide’) under the General Data Protection Regulation (Regulation (EU) 2016/679) (‘GDPR’). In particular, the ICO highlighted that the Codes of Conduct Guide and the Certification Guide, aim to help data controllers and processors demonstrate compliance with the GDPR by developing sector-specific guidelines.

Codes of Conduct – voluntary or mandatory?

The ICO outlined that both the codes of conduct and the certification schemes are voluntary accountability tools, enabling stakeholders to identify and resolve key data protection challenges in their sector with assurance from the ICO that the code, and its monitoring, is appropriate.

Tim Hickman, Partner at White & Case LLP, told OneTrust DataGuidance, “It seems unlikely at this stage that compliance with codes of conduct could be made mandatory. Articles 40-41 of the GDPR are clearly permissive, rather than obligatory – they seek to encourage use of codes of conduct, but do not mandate the use of codes of conduct. Likewise, Article 83(2)(j) of the GDPR allows adherence to codes of conduct to be taken into account when issuing penalties under the GDPR – emphasising the benefits of, without compelling the use of, codes of conduct. Thus, for codes of conduct to become mandatory, there would need to be a change in the law.”

The Codes of Conduct Guide also states that while signing up to a code of conduct is voluntary, it is encouraged that organisations comply with such a code of conduct if there is an approved version of the same which is relevant to their processing activities.

A cross-sector approach to codes of conduct

The Codes of Conduct Guide highlights that cross-sector codes are allowed, if the code owner can demonstrate that the organisations covered have a common processing activity and share the same processing needs, such as a human resources professional body or an IT association.

Hickman stated, “Organisations operating in multiple sectors may decide to comply with different codes of conduct, with respect to their data processing activities in different sectors. For example, a social media platform that also sells products online might choose to adhere to one code of conduct with respect to the processing of personal data in a social media context, and another code of conduct in a retail and marketing context. Ultimately, the challenge for those organisations will be ensuring that they are able to navigate any inconsistencies between the codes of conduct to which they sign up.”

According to the Codes of Conduct Guide, if a cross-sector code is applicable to more than one category of data controllers or representative organisations, then more than one monitoring body may need to be accredited. In such circumstances, the code should clearly outline the accreditation requirements for each monitoring body and also state which data controllers each monitoring body will perform its functions on.

Monitoring bodies: ICO Codes of Conduct Guide v. GDPR

The Codes of Conduct Guide stipulates, ‘Codes of conduct covering the private sector, or non-public authorities must also identify a monitoring body who will fulfil the monitoring requirements.’

Hickman highlighted, “Article 41(1) GDPR is much more flexible on this point, and states: ‘the monitoring of compliance with a code of conduct pursuant to Article 40 may be carried out by a [monitoring] body.’ The GDPR thereby appears to leave open the possibility that monitoring of compliance could be carried out by the relevant supervisory authority, and that a separate monitoring body is not needed in all cases. By insisting that an accredited monitoring body must be used for private sector codes of conduct, the ICO is effectively saying it will only approve codes of conduct where the relevant organisations are willing to incur the cost and liability associated with appointing a monitoring body. Although the ICO’s view is in line with the position taken by the EDPB on this issue, it is worth noting that this position is much more restrictive than the text of the GDPR, and significantly curtails the circumstances in which private sector organisations are likely to be able to gain approval for their codes of conduct.”

Implications of Brexit on UK certification and the EDPB certification scheme register

The Certification Guide notes that there are currently no approved certification criteria or accredited certification bodies for issuing GDPR certificates and further notes that certification is a way for a company to demonstrate compliance with the GDPR, and that across EU member states, the European Data Protection Board (‘EDPB’) will collate all EU certification schemes in a public register.

Hickman noted, “Article 42(2) of the GDPR explicitly permits non-EU controllers and processors to certify to EU codes of conduct. Thus, after the end of the Brexit transition period, it appears likely that UK companies that are certified in accordance with certification schemes that are approved by the EDPB can continue to maintain those certifications.”

Furthermore, the Certification Guide notes that additional accreditation requirements were submitted to the EDPB for their opinion and have now been approved. This will allow the United Kingdom Accreditation Service (‘UKAS’) to accredit certification bodies to deliver GDPR schemes using ICO-approved certification criteria.

Hickman continued, “However, it is likely that any certification schemes that have only been accredited by the UK ICO (and no other EU supervisory bodies) would cease to be valid for GDPR purposes after the end of the Brexit transition period (on the basis that, from that date, the UK ICO will no longer be a ‘supervisory body’ under the GDPR, and therefore such codes of conduct would no longer be ‘accredited’ within the meaning of Article 43(1)(a) of the GDPR).”

