Before the GDPR rolls out, the list of practices that companies will need to re-evaluate and reform is huge. Thus, any concessions and exemptions allowed by the GDPR should be welcomed with open hands. Every little thing counts when you’re in a scramble to meed the 25 May deadline, believe us!
What Are Codes of Conduct?
It is important for all companies and organizations to demonstrate compliance with the GDPR. One of the most welcomed methods are codes of conduct and certifications.
Codes of conduct are internal rules that help companies demonstrate and outline the norms and practices that should be taken in certain situations. Well-drafted codes of conduct with regulator-approved procedure can serve as a useful tool for demonstrating compliance. Remember, Article 5(2) of the GDPR requires your company to be able to demonstrate compliance with the GDPR.
The GDPR brings updated provisions regarding codes of conduct with a much clearer list of requirements and obligations. This results in better accountability and transparency.
Codes of conduct are thought to bring great benefits, especially for small and medium enterprises (SMEs). They are not obligatory and your company does not have to have one. However, they bring about major financial and organizational benefits.
It is expected that the authorities will strongly encourage the creation of codes of conduct that will be tailored to the size and data requirements of the company. We expect a reduction of administrative burden of proving compliance if codes of conduct are adopted.
Bear in mind that once adopted, compliance with the code is mandatory. It is not a ‘guideline’ for best practices, but a legal obligation under the GDPR.
Codes of Conduct Scream Compliance
Article 40 of the GDPR strongly suggests a number of fields that a code of conduct should cover. This includes:
- fairness and transparency of processing
- legitimate interests of controllers
- collection and pseudonymisation of personal data
- data subjects’ rights and information provided to them
- measures for the protection of children
- breach notifications
- security measures
- cross-border transfers
- dispute resolution mechanisms
As you can see, good practices in these fields practically guarantee that you are GDPR compliant, as long as you adhere to the adopted codes of conduct. That makes them truly useful, instead of just a thin veneer of compliance.
Well-drafted codes of conduct ensure safety of processing and allow data subjects (individuals) to exercise their rights. Smaller companies will benefit from the ‘know-how’, i.e. smart data handling procedures and best practices for ensuring data safety both during processing and storage.
If codes of conduct are approved and adhered to by all organisations involved, even cross-border data transfers may be possible without any prior approval from a supervisory authority. This is very enticing for large corporations who often have the need of moving huge amounts of data to their processing companies or subsidiaries.
Who Can Draft Codes of Conduct?
Companies themselves are not able to draft their own codes. Instead, this is done by the trade organisations, sectoral associations and other legitimate representative bodies. They will have to prove their legitimacy first to the relevant supervisory authority. The supervisory authorities will vet these organisations for transparency, conflict of interest, expertise and overall ability to manage the codes and revise them occasionally.
Several member states have already approved codes of conduct for many industries, with Germany and the Netherlands leading the way. It is expected that the number of codes of conduct will rise significantly as the GDPR deadline approaches.
The organisations preparing codes of conduct are strongly encouraged by the GDPR to take into account the opinions of all the relevant stakeholders. This includes, of course, the opinions of regulatory authorities and member companies. However regular citizens should also be consulted whenever possible. Codes must be in line with the legislation in the EU country concerned.
Note that the laws always prevail over the codes of conduct: in case of any irregularities, the provisions in the code become invalid. The code itself is valid for an indefinite amount of time, once adopted.
The supervisory authority of the member state of the proposing organisation is responsible for the monitoring and approval of the code of conduct. In some cases, when processing in several member states is covered by the code, other supervisory authorities will have to be consulted as well.
Before the code of conduct is put into practice, the organisations must submit a draft and a supervisory authority must approve it. The supervisory authorities are responsible for making the codes publicly available.
By adopting a code of conduct you accept that the supervisory authority can monitor your compliance with it. In practice, the monitoring will be performed by a body accredited by the authority. However, self-monitoring mechanisms should be included within the code itself, so that any complaints and transgressions are handled automatically. Revisions will also have to be handled, with frequency depending on the changes in the relevant laws. That is why this type of GDPR compliance is called “semi self-regulating” by some.
If any infringements are found, you could be excluded from the code and subject to a fine – the first tier of EUR 10 million or 2 percent of your company’s global annual turnover. The supervisory authorities may revoke the code altogether if it is deemed unsatisfactory.
The European Commission can decide on its own that certain codes of conduct meet all the requirements. These codes are considered valid within the entire EU.
As stated above, SMEs stand to gain the most from these universal codes of conduct. They all pool their funds into memberships for trade associations and similar. These groups can create codes of conduct that can in turn be used by these companies.
In other words, for a small sum of money, they get the ‘blueprint’ for ensuring compliance. This eliminates the need for internal compliance mechanisms and programmes, which are extremely expensive and generally conducted by large companies and organisations.
Third country data transfers are also facilitated by the adoption of valid codes of conduct. Non-EU organisations can adopt them to signal they are GDPR compliant, which makes transfers easier since the rights of data subjects are considered protected.
Small companies will also be glad to hear that adherence to the approved codes of conduct reduces the risk of fines and could result in lower fines even in case of infringements. Such adherence is considered as a mitigating factor, since it is a signal that the company has not neglected its privacy-related obligations.
The benefits for data subjects could also be substantial. If a code is promoted enough and the public is aware of its quality, any companies adhering to the code seem (and are) more trustworthy to the eyes of the consumer – somewhat like a brand image, but for a code. This means more users and more revenue, while at the same time data subjects’ rights are being protected.
Overall, codes of conduct are an interesting alternative way of signalling compliance and strengthening one’s privacy and data handling practices. These codes can be very cost-effective and efficient. A good data protection officer should certainly investigate them as a viable option for simplifying and streamlining the GDPR compliance process.