Understanding the ICO’s Codes of Conduct: A Guide for Organisations

The Information Commissioner’s Office (ICO) in the UK promotes codes of conduct as voluntary accountability tools under UK data protection law. These codes help sectors or professions address specific data protection challenges, demonstrate compliance with the UK GDPR, PECR (Privacy and Electronic Communications Regulations), or Part 3 of the Data Protection Act 2018 (law enforcement processing), and build public trust. The guidance was last updated on 5 February 2026, incorporating changes from the Data (Use and Access) Act 2025 (DUAA).

What Are Codes of Conduct?

Codes of conduct are sets of rules developed by associations, industry bodies, or expert public bodies to provide practical, sector-specific guidance on complying with data protection laws. They go beyond simply restating the law by offering tailored solutions for common processing activities in a sector or profession.

Key benefits include:

• Tailoring UK GDPR, PECR, or DPA Part 3 requirements to specific needs (including for micro, small, and medium-sized enterprises)
• Helping organisations demonstrate accountability
• Improving compliance cost-effectively
• Building public confidence in how personal data is handled

ICO approval assures that the code and its monitoring mechanisms meet legal standards. Signing up is voluntary, but adopting an approved code can show effective application of the law.

Types of Codes

There are three main types:

1. Codes relating to the UK General Data Protection Regulation (UK GDPR)
2. Codes relating to PECR
3. Codes relating to Part 3 of the Data Protection Act 2018 (law enforcement processing)

What Should a Code of Conduct Cover?

Codes should focus on sector-specific data protection issues rather than general restatements of the law. Potential topics include:

• Fair and transparent processing
• Fair and lawful processing
• Data subject rights
• Legitimate interests assessments
• Pseudonymisation and other risk-mitigation techniques
• Other relevant processing challenges

A code must outline:

• The code owner’s authority to represent controllers/processors (for UK GDPR/PECR) or status as an expert public body (for DPA Part 3)
• The code’s purpose, benefits, and added value
• Covered processing activities, applicable controllers/processors, and targeted data protection issues
• Compliance monitoring mechanisms
• For private/non-public sector codes: Details of the monitoring body, its legal status, and accreditation
• Stakeholder consultation outcomes
• Confirmation of compliance with data protection and other laws

Who Develops and Approves Codes?

Code owners (associations, representative bodies, or expert public bodies) develop codes in consultation with stakeholders (including the public where possible). They submit codes to the ICO for approval.

The ICO:

• Provides advice and guidance during development
• Checks compliance with detailed requirements
• Approves and publishes approved codes in a public register
• Accredits monitoring bodies (where required)

The ICO encourages code development where it benefits sectors and supports cross-sector codes for shared processing needs (e.g., HR or IT professionals across industries).

Monitoring Compliance

UK GDPR and PECR codes must include effective monitoring methods and procedures for handling infringements (clear, suitable, and efficient actions).

DPA Part 3 codes explain internal audit and compliance mechanisms.

For private sector/non-public codes, an independent monitoring body must be identified and accredited by the ICO through a separate process.

Why Sign Up to a Code?

Adopting a relevant approved code helps organisations:

• Apply data protection law consistently and effectively
• Enhance transparency and accountability
• Follow best practices tailored to their sector
• Mitigate risks in processing activities
• Improve areas like breach reporting and privacy by design
• Assure individuals that their data is handled lawfully, protecting rights and freedoms

How to Become a Code Member

Check the ICO register of approved codes for relevant codes in your sector or profession.

Contact the code owner or monitoring body directly to learn about joining (membership/sign-up processes vary).

Current Status of Approved Codes

The ICO maintains a public register of approved codes. Notably, the first UK GDPR code was approved in October 2024: the Association of British Investigators (ABI) UK GDPR Code of Conduct for Investigative and Litigation Support Services. This remains a key example, with the ICO publishing it in November 2024.

Recent DUAA changes (effective February 2026) have updated rules around codes (e.g., enhanced ICO duties for law enforcement codes and reporting on exclusions/suspensions). The ICO is updating guidance, with further changes to codes of conduct processes expected in Winter 2025/2026 or later.

For the latest list, visit the ICO’s register directly, as new approvals may occur. No widespread sector-wide codes are universally listed as approved beyond pioneering ones like the ABI code, but the framework supports more development.

Key Legal References

• UK GDPR Articles 40-41, Article 83, and Recitals 77, 98, 99, 168
• PECR Regulations 32A, 32B, 32C
• Data Protection Act 2018 Sections 55, 56, 59, 66, 71A

If your organisation is considering developing a code, contact the ICO for support. For monitoring body accreditation or detailed application processes, refer to the ICO’s detailed guidance. Always check the official ICO website for the most current information, as the framework evolves with DUAA implementation.

This overview is based on the ICO’s published guidance (last updated 5 February 2026). For compliance, review the full resources and consult legal experts where needed.