Cracking the Code: Lessons from the first ICO-approved UK GDPR Code of Conduct

Cracking the Code: Lessons from the first ICO-approved UK GDPR Code of Conduct

In a recent Privacy Laws & Business article, Jonathan Howie and Katie Hewson explain how to develop a code, overcome challenges in developing the code and have it approved by the ICO.

In October 2024, the Information Commissioner’s Office (ICO) approved the UK GDPR Code of Conduct for Investigative & Litigation Support Services (the Code), which was developed by the Association of British Investigators (ABI). The Code is the first UK GDPR code of conduct approved by the ICO and represents a significant step forward in options for demonstrating compliance with complex areas of data protection law.

This article examines how UK GDPR codes of conduct (or codes) work, details the Code team’s experience of the challenges in getting the first Code passed, gives practical suggestions to tackle these hurdles, and analyses the prospects for more codes in the future.

What are codes of conduct?

Codes of conduct, as set out in Article 40 of the UK GDPR, are formal frameworks developed by industry bodies to support the effective application of data protection law within a particular sector. The recitals to the UK GDPR say that bodies representing categories of controllers or processors should be encouraged to draw up codes of conduct to take into account the “specific characteristics of the processing” in their sector. This means that codes can set out expectations and practical guidance to deal with sector-specific characteristics and risks of certain data processing activities.

The Code itself offers detailed guidance and advice for the processing of personal data in the context of investigative and litigation support services. This is a sector that attracts scrutiny for how it handles personal data in providing its services. Indeed, methods used by certain investigators can pose a high risk to data subjects, and can even seem to be antithetical to core data protection law principles such as transparency and lawfulness. By offering a tailored, ICO-approved approach, the Code aims to promote the practical application of the UK GDPR in this context.

Where the ICO takes enforcement action against an organisation or individual that has infringed the UK GDPR, it may take into account an organisation’s membership of a code of conduct and any lack of compliance with that code when considering enforcement action. Indeed, with respect to administrative fines, adherence to approved codes of conduct is one of the many factors to which the ICO must give due regard in deciding whether to impose an administrative fine and the quantum of that fine.

Why produce a code of conduct?

Based on our experience with working on aspects of drafting of the Code, codes of conduct offer an opportunity for industry bodies to work with stakeholders to clarify genuinely novel and complex areas of data protection law. Codes provide an opportunity to address those issues that are not sufficiently covered by existing guidance or precedent.

There are often two key motivations for producing a UK GDPR code: enhancing trust and resolving complex legal issues.

Codes can give credibility and legitimacy to the code owner (usually an industry body) and to the organisations that certify their compliance with the code. In the eyes of many clients looking to ensure high-quality service provision, adherence to an ICO-approved code demonstrates a commitment to high data protection standards.

This is more pronounced in industries where there are underlying concerns about privacy and security. Code membership can position an organisation as a trusted privacy leader, which can help it to set itself apart from less reputable competition. Code members may view their membership as a mechanism to drive revenue from clients who may otherwise have legitimate concerns about how personal data will be handled. For organisations, code membership can demonstrate that the member takes its responsibilities seriously and give them a critical advantage in dealing with novel data processing activities.

Certain sectors also involve inherently complex or risky data processing operations. Although the ICO offers a wealth of practical and detailed guidance, the nuances of how this should be applied in certain sectors can give rise to uncertainty. Codes of conduct can offer pragmatic guidance for members on knotty issues. For example, investigators in the private sector often have to consider the risks and issues inherent in the invisible processing of personal data as part of their services. These can include how to ensure fair and lawful processing and how to uphold data subjects’ rights.

By proactively addressing these matters in a code of conduct, organisations can gain a competitive edge, establishing their behaviours as best practice in the field. This first-mover advantage can help set industry standards and influence customer expectations. As the old saying goes: if you’re not keeping up, you’re getting left behind.

Developing a code for approval

From a practical perspective, the development of a code will normally start with an initial assessment of data processing activities within a sector, to identify areas that require tailored guidance. Clearly, not every data protection law issue can be addressed, so it is important to prioritise those that cause the biggest concern or confusion and have the biggest impact on data subjects. The first draft is presented to the ICO by the code owner, for initial high-level feedback, which may go through several rounds.

The code owner will also need to engage with a range of stakeholders to conduct appropriate consultation. This consultation process could include speaking to data subjects, controllers within the industry, other public bodies, as well as continuing to engage with the ICO to ensure the code properly addresses the relevant issues that are raised. From our experience, this consultation process requires careful management, to ensure that the outcomes are productive and improve the quality of the code.

Alongside the development of the code and the consultation process, the code owner will need to ensure it has prepared the appropriate monitoring body to conduct the role required under the UK GDPR. The monitoring body is responsible for a range of activities, including certifying applicants as meeting the code of conduct criteria and standard.

To approve a code, a range of other information must be provided to the ICO, in addition to the draft of the code itself. The ICO requires evidence:

  1. of the code owner’s status in the sector,
  2. that a code owner can speak on behalf of a group,
  3. that a code owner has conducted appropriate consultation,
  4. that any other legislation has been considered carefully and
  5. of documents relating to the code’s monitoring body to ensure that body meets the ICO approval criteria.

Once the code is drafted, has been subject to appropriate consultation, and a monitoring body is lined up for support, then the code can be submitted to the ICO for full review by the ICO’s code assessment group (CAG). The CAG will produce a report recommending either approval, amendment or rejection of the code. Amendment and rejection communications will be accompanied by a written report highlighting the issues raised by the CAG. This report may identify further advice for how the code can be approved or, in some circumstances, reasons why there is doubt on the use/content of the code. The ICO says it expects the CAG process to take around 8-12 weeks, but a code owner should also expect that there will be time required after the CAG report is received, to remedy any issues it identifies.

Once approved, the ICO will publish the code on its website and it will be publicly accessible. The code does not stop at approval however, and the code owner and monitoring body should conduct periodic reviews of the code to ensure it remains relevant and up to date. Further amendments or additions to the code may also require further approval by the ICO, although it is not clear whether the full CAG process would always be required.

What challenges are there to developing a code?

Since the UK GDPR entered into force almost seven years ago, the ICO has approved only one code of conduct, although we understand that several others are being prepared. This is despite regular encouragement from the regulator on the helpful role that codes of conduct can play.

Who will represent the industry?

There are quite a few challenges for an organisation to overcome in producing a code. The first stumbling block for many codes is the need for a representative industry body willing and able to commit resources to developing a code and to engaging with the ICO and industry. Certain sectors don’t have an obvious leader to take on the job, or even if they do, that body may not wish to commit resources to a code of conduct.

The process of producing sector specific guidance on complex areas of data protection law is time-intensive and costly. Codes are complex documents, requiring careful consideration of both the law and of relevant industry practice. Drafting them often involves addressing novel legal issues, whilst making sure the guidance is sensitive to the risks of certain processing activities. There is, however, support available from the ICO for organisations looking to produce codes of conduct. Our experience is that this goes beyond just ensuring that the necessary criteria for the code are met, as it also provides helpful guidance around the structure, clarity and scope of a code of conduct.

Appropriate scope

Another key challenge is around ensuring the scope of a code is appropriate. It needs to strike a balance between providing practical guidance on complex issues and not seeking to replace legal advice on particular circumstances – in other words avoiding “scope creep”. Code owners should produce a clear code scope as an outcome of their initial assessments.

A code’s scope can demonstrate to industry players why the code-production process is worth the development time and cost. However, it’s important that it retains some flexibility. We spoke to Tony Imossi, secretariat of the ABI, who said that “we began by identifying key areas of non-compliance following the introduction of the GDPR and the changes it brought to the investigatory sector. This was really helpful as it gave us a solid number of issues we could think about and give advice on as part of the code. On review, the ICO were very helpful by removing a couple of these areas to make sure that the scope of the Code was specific enough to get through the approvals process. Through regular meetings and constructive work with the regulator we arrived at a scope that was workable for the ABI and the ICO”. Keeping to the scope and making sure it is fit for purpose is fundamental to ensuring the code survives the various rounds of consultation and approval described above.

The approval process and monitoring body

As well as the time and cost it takes to draft a code of conduct that has an appropriate scope, the approval process is intensive. As explored above, code owners are expected to carry out a range of stakeholder engagement activities, including specific consultations. The code owner must also identify an appropriate monitoring body to act as the certifying entity for compliance by an organisation with the requirements of the code. This means thinking practically about which body would have an appropriate level of sector expertise to monitor the requirements of the particular code. In a particularly niche sector, it may be a real challenge to identify an appropriate monitoring body. The monitoring body is responsible for establishing procedures to assess eligibility of controllers to apply to the code, monitor compliance, review its operation, handle complaints about infringements and make procedures transparent to data subjects. While the monitoring body must be sufficiently well-connected to the sector to understand the nuances of its processing, it must also be able to demonstrate to the ICO that it does not have a conflict of interest in the application of its duties. That can be a difficult balancing act.

Sharing and collaborating

Another key challenge is around making sure organisations are comfortable sharing knowledge with their peers and competitors, and collaborating to address specific concerns within their industry. Clearly, a code will only be effective if organisations within the relevant industry are willing to work together to support good practice.

There may be valid reasons for organisations not to support the development of a code. A controller may already consider it has excellent data protection practices and seek to avoid seeing its competitors achieve similar levels of compliance. If organisations are unwilling to support the development of the code, or adherence to the standards that it requires, a code owner is unlikely to be able to demonstrate the requisite consultation evidence. It will be important that the code owner has excellent stakeholder management to achieve good take-up of the code by key players in the industry.

Where can codes of conduct play the most significant role?

There are a range of other sectors we consider would benefit from producing a code of conduct. In particular, sectors that often face scrutiny over personal data handling practices, or where there are genuinely challenging data protection issues. For example, in the restructuring and insolvency world – where case law has resulted in a complex web of responsibilities – a code of practice would give an opportunity to develop a practical map of good practices around personal data handling. Also, industries that have attracted regulatory scrutiny (such as credit reference agencies) may benefit from the positive features of a code discussed earlier. Being able to demonstrate to clients that an organisation takes its responsibilities seriously and seeks to be “best in class” has obvious commercial appeal.

Advice for prospective code owners

Imossi commented: “Developing a code of conduct is undoubtedly a challenging process, especially at the outset. But support is available, particularly from the ICO, who were constructive, pragmatic, and genuinely helpful throughout. You don’t need to be an expert in every aspect of the law to begin drafting; what’s more important is a willingness to engage and a belief in the value of what you’re trying to achieve. There will be moments of uncertainty, but with perseverance and the right guidance, the effort is absolutely worthwhile. If you believe in the purpose of the code, you can make it happen!” 

Authors

Katie Hewson is a Partner and Jonathan Howie is an Associate at Stephenson Harwood LLP.

© PRIVACY LAWS & BUSINESS May 2025

 

Katie HewsonKatie HewsonView biography
Jonathan Howie Jonathan Howie View biography
Author
Author
© Stephenson Harwood LLP 2025. Information contained on this page is current as at the date of first publication and is for general information only. It is not intended to provide legal advice.