Operationalising accountability through Codes of Conduct and Certification

07th February 2020

Accountability - GDPR Article 5.2… “The controller shall be responsible for, and be able to demonstrate compliance with, paragraph 1 [the principles of data protection]”

As one of the GDPR’s most important innovations, the principle of accountability (Article 5.2 in the GDPR) means that organisations processing personal data must:

  • be able to stand by and justify the legitimacy of their processing activities;
  • at all times be able to demonstrate their compliance with the GDPR to their customers and data protection authorities; and
  • be able to clearly explain how their processing activities promote and support the protection of personal data and data subject rights.

The GDPR has several distinct mechanisms that organisations can include in their compliance efforts to demonstrate accountability. Two examples that the DPC believes have significant potential to give practical effect to the concept of accountability are:

  • Codes of Conduct under Articles 40 and 41
  • Certification under Articles 42 and 43.

For the DPC and other EU data protection authorities, accountability is a core aspect of supervision and enforcement work.  As effective accountability tools, Codes of Conduct and Certification will allow all stakeholders to play their part in the application, monitoring, supervision and enforcement of data protection standards.

Considering Codes and Certifications

The DPC strongly encourages stakeholders to consider the potential for Codes and Certifications in their sector. A first step in the design and development of Codes and Certifications is thoughtful assessment of where they can be most effectively used. This will help organisations meet their regulatory obligations and instil public and regulatory confidence in their stewardship and governance of personal data.

In particular, in the interests of helping small and medium sized enterprises (SMEs), we encourage the development of Codes and Certification schemes covering the data processing operations of outsourced service providers such as cloud, HR and financial services. With the backing and stewardship provided by independent monitoring bodies and standards-based national accreditation boards (in Ireland this is the Irish National Accreditation Board), data processor Codes and Certifications can give SMEs using outsourced services the ability to ensure and demonstrate that their activities are compliant with data protection law. 

Work on the regulatory approval process

Following earlier publication of European Data Protection Board (EDPB) opinions and guidelines, this year the DPC and many other supervisory authorities   are bringing to fruition their preparatory work on the regulatory approval process for Codes of Conduct and Certification accreditation and schemes.

As required under the GDPR, the DPC recently requested a formal opinion of the EDPB on our draft accreditation criteria for independent Monitoring Bodies for Codes of Conduct and our draft additional accreditation requirements for Certification bodies. We anticipate that this process will be concluded by early Q2 2020, from which point we will be encouraging applications for Certification schemes and Codes of Conduct.

Meanwhile the DPC is ready to engage with stakeholders during their design and specification of Codes and Certification schemes. 

Children’s data

On the specific matter of processing children’s personal data, the DPC is obliged under Section 32 of the Data Protection Act 2018 to encourage the drawing up of Codes of Conduct by industry. To this end, we organised a public consultation on the processing of children’s personal data and the rights of children as data subjects, which ran from December 2018 to April 2019, to gather the views of both adults and children.

We will shortly be publishing a detailed piece of draft guidance to address the issues highlighted in the consultation, and stakeholders will have an opportunity to comment and make submissions on that guidance before it is finalised. The final version of that guidance will then provide a firm foundation for the drawing up of one or more Codes of Conduct on the processing of children’s personal data. The DPC will proactively seek to drive industry forward with a view to developing one or more such Codes of Conduct as a top priority in 2020.

Accountability tools such as these present an important opportunity to provide assurance and confidence for individuals that their data is being processed responsibly and lawfully.

In 2020 we anticipate that momentum will build around these tools as enablers of accountability, to promote choice and best practice and, ultimately, raise compliance and trust in an increasingly linked, social and dynamic world of online and offline personal data processing.