This article was published in "The Privacy Advisor", a monthly member newsletter of the International Association of Privacy Professionals (IAPP). The IAPP is the largest and most comprehensive global information privacy community and resource. Founded in 2000, the IAPP is a not-for-profit organization that helps define, support and improve the privacy profession globally.
Europe’s new privacy rules avoided phrasing the regulation too detailed where appropriate and kept the law abstract and based on principles, in part considering the speed and disruptiveness of technical innovation. However, the GDPR did not leave those areas free from oversight. The regulation emphasizes business responsibilities and grants advantages for those who voluntarily self-regulate by making themselves subject to a co-regulated code of conduct. CoCs invite all businesses, especially micro- to medium-sized enterprises, to credibly declare their compliance with GDPR.
What exactly are codes of conduct? Article 40 of the GDPR encourages the development of CoCs to “contribute to the proper application” of the regulation. Key areas covered by CoCs are, for instance, fair and transparent processing, collection and pseudonymization of personal data, as well as transfers of personal data to third countries. Organizations regulating themselves by signing up to a CoC can achieve facilitated proof of GDPR compliance within the scope of the respective CoC. Simultaneously, the GDPR requires continuous monitoring, based on transparent and independent procedures, to ensure a proper alignment with a CoC’s obligations. In effect, this means that a data controller’s or a processor’s compliance outlined in a CoC is not only enforced by the regulator — the oversight is additionally performed by an approved independent monitoring body pursuant to Article 41 of the GDPR.
One of the key benefits of an approved CoC is the legal certainty, created by specifying vague provisions of the law. In principle, CoCs under the GDPR consider both business needs and expectations of regulators: On the one hand, businesses jointly and voluntary define the provisions of CoCs they regard as most important and implement the legal or technical shifts vital to their needs. As businesses themselves can draft a CoC and decide on its scope, the provisions can include innovation-friendly guidelines and state-of-the-art technical and organizational solutions as long as all relevant legal obligations are met. At the same time, the risks of high fines and cost-intensive adjustments of already implemented, non-compliant processes can be avoided.
On the other hand, the regulator is essentially involved in safeguarding adequate data protection and credibility. Under GDPR, both the CoC and the respective independent monitoring body must be approved by the European Data Protection Board. Article 41 of the GDPR constitutes principles on the independence and procedures necessary for an approved monitoring process under GDPR. The EDPB will publish and maintain a register of approved CoCs.
This monitoring aspect also distinguishes Codes of Conduct from other safeguard mechanisms or schemes, like certifications. Generally, certification schemes are based on a singular third-party assessment to a specific moment. The monitoring of a CoC however must be continuous. The depth of individual assessments may be streamlined, where appropriate, in comparison to, e.g., a certification due to simple self-declarations that are subject to plausibility checks. For instance, the monitoring body could scrutinize CoC-members on an ad hoc basis and perform periodic reviews, as well as additional reviews triggered by media reports or anonymous indications about an infringement of code provisions.
CoCs must not to be confused with binding corporate rules, as the latter affect only entire companies and solely address adequacy. By signing up to a CoC, though, companies may choose to certify individual services rather than all business operations. Notably, CoCs can incorporate any provision of the GDPR open for interpretation and balancing of interests.
In summary, CoCs and monitoring pursuant to Articles 40 and 41 GDPR will help provide efficient means to demonstrate compliance under GDPR and offer a suitable regulatory tool to foster innovation in the digital economy while safeguarding robust data protection standards and customer trust in the protection of personal rights. As a matter of fact, CoCs even give organizations the unique opportunity to concretize Europe’s new data privacy rules and foster a Europe-wide practical and innovation-friendly interpretation of GDPR.