#5: Data Privacy Best Practice: Consider Adopting a Code of Conduct for the relevant industry
Adopting a Code of Conduct in your relevant industry is another recommended way to demonstrate GDPR compliance. Codes of Conduct existed in the pre-GDPR environment of the 1995 Directive. They will need to be updated for GDPR and approved by the applicable EU country’s supervisory authority.
The following information relating to DPIAs comes directly from the UK DPA’s guidance on Codes of Conduct.
What does the GDPR say about Codes of Conduct?
The GDPR endorses the use of approved codes of conduct and certification mechanisms to demonstrate that you comply.
The specific needs of micro, small and medium sized enterprises must be taken into account.
Signing up to a code of conduct or certification scheme is not obligatory. But if an approved code of conduct or certification scheme that covers your processing activity becomes available, you may wish to consider working towards it as a way of demonstrating that you comply.
Adhering to codes of conduct and certification schemes brings a number of benefits over and above demonstrating that you comply. It can:
Improve transparency and accountability - enabling individuals to distinguish the organizations that meet the requirements of the law and they can trust with their personal data.
Provide mitigation against enforcement action; and
Improve standards by establishing best practice.
When contracting work to third parties, including processors, you may wish to consider whether they have signed up to codes of conduct or certification mechanisms.
Who is responsible for drawing up codes of conduct?
Governments and regulators can encourage the drawing up of codes of conduct.
Codes of conduct may be created by trade associations or representative bodies.
Codes should be prepared in consultation with relevant stakeholders, including individuals.
Codes must be approved by the relevant supervisory authority; and where the processing is cross-border, the European Data Protection Board (the EDPB).
Existing codes can be amended or extended to comply with the requirements under the GDPR.
What will codes of conduct address?
Codes of conduct should help you comply with the law, and may cover topics such as:
Fair and transparent processing;
Legitimate interests pursued by controllers in specific contexts;
The collection of personal data;
The pseudonymisation of personal data;
The information provided to individuals and the exercise of individuals’ rights;
The information provided to and the protection of children (including mechanisms for obtaining parental consent);
Technical and organisational measures, including data protection by design and by default and security measures;
Data transfers outside the EU; or
Dispute resolution procedures.
What are the practical implications?
If you sign up to a code of conduct, you will be subject to mandatory monitoring by a body accredited by the supervisory authority.
If you infringe the requirements of the code of practice, you may be suspended or excluded and the supervisory authority will be informed. You also risk being subject to a fine of up to 10 million Euros or 2 per cent of your global turnover.
Adherence to a code of conduct may serve as a mitigating factor when a supervisory authority is considering enforcement action via an administrative fine.
Who is responsible for certification mechanisms?
Member states, supervisory authorities, the EDPB or the European Commission are required to encourage the establishment of certification mechanisms to enhance transparency and compliance with the Regulation.
Certification will be issued by supervisory authorities or accredited certification bodies.
What is the purpose of a certification mechanism?
A certification mechanism is a way of you demonstrating that you comply, in particular, showing that you are implementing technical and organizational measures.
A certification mechanism may also be established to demonstrate the existence of appropriate safeguards related to the adequacy of data transfers.
They are intended to allow individuals to quickly assess the level of data protection of a particular product or service.
What are the practical implications?
Certification does not reduce your data protection responsibilities.You must provide all the necessary information and access to your processing activities to the certification body to enable it to conduct the certification procedure.Any certification will be valid for a maximum of three years. It can be withdrawn if you no longer meet the requirements of the certification, and the supervisory authority will be notified.
If you fail to adhere to the standards of the certification scheme, you risk being subject to an administrative fine of up to 10 million Euros or 2 per cent of your global turnover.
BizConnect is not aware of a current Code of Conduct in its industry. It will keep apprised of developments, and consider adopting one if and when it becomes available.