The General Data Protection Regulation places great emphasis on codes of conduct. The lawmakers envisioned these codes to be among the most used tools for companies to demonstrate their compliance with the GDPR.
Codes of conduct are sets of internally defined rules that companies use as a guideline to behave when dealing with data. These codes of conduct must be approved by the supervisory authority beforehand, and once approved, companies can know that if they are behaving according to these codes, their processing is legal.
In the same vein, codes of conduct are thus used to demonstrate compliance with the regulations. If the codes of conduct are adhered to, the company is compliant.
Codes of conduct must include several provisions. These include provisions dealing with transparency and fairness of processing. Legitimate interests of controllers must be outlined. They must contain procedures for breach notification and conditions for cross-border transfers, as well as mechanism for dealing with any disagreements between the individuals and the company.
The codes should have measures that cover dealing with especially protected subjects, such as children. And most importantly, the individuals must be notified of their rights under the GDPR.
Their simplicity and low administrative cost makes codes of conduct a very enticing option for smaller companies. They will receive great guidelines for processing without spending much money on education and drafting their own policies afterwards.
Companies cannot draft their own codes of conduct. This task is delegated to trade organisations in each EU Member State. They draft the codes of conduct and the supervisory authorities then examine them. Most codes can be found in the Netherlands and Germany, but other countries should follow suit soon.
But it’s not all over when you adopt a code. A code is not there just on paper; you need to act according to it. The codes are publicly available, so in theory everyone should have the right to see for themselves what the companies are supposed to be doing.
Once a company adopts a code, the supervisory authority has the right to inspect how well the company is doing. The GDPR, however, is big on the concept of self-monitoring. Good codes of conduct will include those requirements within the text itself.
Wrongdoers will be penalised as usual by the supervisory authorities and in some cases entirely excluded from using the code. However, improper codes may also be ‘banned’ altogether by the regulators. Note that the European Commission also has the right to adopt codes of conduct, which will be valid in the entire EU.
Codes of conduct are a fantastic way of demonstrating compliance with the provisions of the GDPR. Users will also appreciate this. By using a good code of conduct, you will be perceived as more trustworthy and capable of securing their data. The equation is simple: more users equals more revenue. What’s not to like about that?