An Active Summer for GDPR: Part I, Codes of Conduct & Certification under the GDPR

As the summer is beginning to wind down, it is a good time to reflect on the last few months and to set priorities for the upcoming fall and winter months when it comes to a company’s security and privacy infrastructure. And, the EU authorities have had an active summer — giving companies in all regions of the world a lot to reflect on. To help keep everyone up to speed on the recent EU developments, our team put together a multi-part series breaking down the key updates from the EU over the past few months.

First up: the European Data Protection Board (EDPB), the EU governing body charged with administering data protection across the entire EU, released a number of guidelines providing further guidance on the General Data Protection Regulation (GDPR).  During the summer, the EDPB held two plenary sessions: the Eleventh Plenary session on June 4, 2019 and the Twelfth Plenary session on July 9 and 10, 2019 (we will delve into this session next week). 

At the Eleventh Plenary session, the EDPB adopted the final version of three key documents related to the consistent and effective application of the GDPR across all Member States and a variety of industries: (1) Guidelines 1/2019 on Codes of Conduct; (2) Annex to the Guidelines 4/2018 on Accreditation; and (3) Annex to the Guidelines 1/2018 on Certification

Codes of Conduct under the GDPR, addressed in Articles 40 and 41, permit trade associations and other bodies representing categories of controllers or processors (i.e., groups representing members of a specific industry) to prepare codes of conduct to address the specific application of the GDPR and the types of processing activities conducted by that specific industry. The goal is for these Codes of Conduct “to contribute to the proper application of this Regulation, taking account of the specific features of the various processing sectors and the specific needs of micro, small and medium-sized enterprises.” See Art. 40. 

The UK’s Information Commissioner’s Office explains that:

Codes of conduct are voluntary accountability tools, enabling sectors to own and resolve key data protection challenges in their sector with assurance from ICO that the code, and its monitoring, is appropriate. They can help you to reflect on your processing activities and ensure you follow rules designed for your sector to achieve good practice. They are written by an organisation or association representing a sector in language that the sector understands and enable sectors to solve these challenges.

By signing up to a Code of Conduct, controllers and processors can ensure they apply the GDPR effectively and in doing so establish operational norms in compliance that ultimately should assist in reducing instances of non-compliance. Codes of conduct require a monitoring method, and for private or non-public authorities, a monitoring body to deliver them.

These Codes are approved at either the member state or European level, and these guidelines provide clarification on that submission and approval process. The Guidelines provide a framework to the national and European level authorities to determine whether these Codes meet the requirements of the GDPR and should be approved. The goal is to ensure that member states are approving these Codes in a consistent manner so that the GDPR is not applied differently depending on the Member State a company is doing business in. 

These Codes of Conduct also offer a unique opportunity for industries to obtain pre-approval for processing activities that may not fit squarely or “cleanly” within the terms of the GDPR. An industry can voluntarily create standards to address the requirements of the GDPR; and, then companies who comply with the Codes receive some assurance that their actions are in compliance with the GDPR. These Codes can provide the assurance that many companies seek in what can seem a very confusing and challenging regulation to comply with. 

Along the lines of the Codes of Conduct, the second two documents adopted by the EDPB relate to accreditation of certification bodies under the GDPR.  The GDPR expressly recognizes that “[t]he Member States, the supervisory authorities, the Board and the Commission shall encourage, in particular at Union level, the establishment of data protection certification mechanisms and of data protection seals and marks, for the purpose of demonstrating compliance with this Regulation of processing operations by controllers and processors.” Art. 42(1). “[C]ertification bodies which have an appropriate level of expertise in relation to data protection” may be created and accredited by the supervisory authorities in order to certify and re-certify organizations for compliance with the GDPR. Art. 43.

In addition to the guidelines on the Codes of Conduct, the EDPB adopted two annexes regarding the process to accredit certifying bodies and then the subsequent certification process to determine a company’s GDPR compliance. These Annexes create a baseline for consistent and harmonized accreditation of these certifying bodies as well as the criteria that should be used in assessing whether a certification mechanism satisfies the requirements of the GDPR. Under accreditation, national supervisory authorities or the Europea-level authorities confirm that a third-party is competent to certify a company in its GDPR compliance, providing a level of trust in the certification process.

For the certification criteria, the Annex focuses on the scope of certification (i.e., the entire company versus certain processing activities). This is key under the transparency initiative promulgated throughout the GDPR (and specifically required under Article 5(1)(a). The extent of the certification needs to be clear, both to the company and the public. Many of the other criteria outlined track the actual requirements of the GDPR itself: lawful basis for processing data, general obligations of controllers and processors, data subject rights, and technical and organization measures employed by the company.

These certification criteria are key since it is likely that certifying bodies will likely become more common in the coming years. Further, the accreditation requirements will ensure that these certifications remain valid and retain the trust of the public — which will allow companies to take advantage of these certifications in demonstrating GDPR compliance. 

The EDPB’s adoption of these three documents provides more guidance for companies to proactively confirm compliance with the GDPR. The GDPR still contains many unknowns; in its attempt to provide a company leeway to determine the best security and privacy practices to fit the business’ needs, the GDPR leaves the operational aspects of the regulation up to the individual company. And, this leaves room for interpretation and potential non-compliance. By adopting Codes of Conduct, and allowing for a certification of compliance, companies can attempt to mitigate the risk of falling afoul of the GDPR. And, while these mechanisms of confirming compliance are still evolving, it is worth exploring whether these mechanisms can provide the desired assurance for compliance going forward. 

Tune in next week for our second part in the series: a deep dive into the Twelfth Plenary session! 

* * * * *

Nothing contained in this blog should be construed as creating an attorney-client relationship or providing legal advice of any kind.  If you have a legal issue regarding cybersecurity, domestic or international data privacy, or electronic discovery, you should consult a licensed attorney in your jurisdiction.