The UK’s Information Commissioner’s Office (ICO) has published new guidance on certification and codes of conduct for data processing as well as expected timetables for finalising its revised guidelines on these topics.


Certification is a voluntary mechanism for organisations to validate their compliance with the General Data Protection Regulation 2016/679 (GDPR). Once the submissions process for certification schemes opens, controllers and processors will be encouraged to achieve a data protection certificate for their activities of personal data processing. This will demonstrate their GDPR compliance to regulators, businesses and the public. Certification by an accredited certification body will demonstrate enhanced transparency and accountability. Certification also represents an independent assurance that a business’ specific processing activities can be trusted.

Expected timeline: Summer 2019

As discussed in our recent blog, the European Data Protection Board (EDPB) published revised Guidelines 1/2018 on certification and identifying certification criteria in accordance with Articles 42 and 43 of the Regulation 2016/679 as well as Guidelines on the accreditation of certification bodies under Article 43 of the GDPR (2016/679). The EDPB is now considering responses to follow-up consultations and is expected to publish final certification and accreditation guidelines this coming summer. The ICO will then submit its own additional requirements to EDPB for its opinion. Following final approval by the EDPB, the ICO will start accepting GDPR certification schemes for approval.

 Codes of Conduct

Codes of conduct are created by trade associations or other bodies in consultation with relevant stakeholders in a particular sector, including the public where necessary. Their purpose is to enable sectors to resolve key data protection challenges with assurance from the ICO that the respective code, and its monitoring, are appropriate and comply with GDPR requirements.

Codes of conduct will be voluntary accountability tools for controllers and processors in a particular sector to sign up to. They will demonstrate that organisations apply the GDPR to personal data processing effectively. By adhering to a code of conduct, controllers and processors can ensure that they follow rules to achieve good practice within their sector.

Expected timeline: Autumn 2019

The EDPB has also published the Guidelines 1/2019 on Codes of Conduct and Monitoring Bodies under Regulation 2016/679 for consultation. Responses are currently being considered so that revised EDPB guidelines can be finalised this summer. The ICO will then submit accreditation requirements for monitoring bodies to the EDPB for its opinion. The ICO expects to formally accept codes of conduct starting this autumn.


Given these timetables, coming months will bring significant developments on certification and codes of conduct guidelines from both the EDPB and the ICO. Make sure you stay up to date by keeping an eye on our blog for upcoming alerts.