How do we gain monitoring body accreditation?

Latest updates

29 March 2023 - we have amended and updated the ICO monitoring accreditation requirements to remove duplicated text and to ensure the wording is clear. We have removed references to the monitoring body requirement to provide evidence to demonstrate how fines will be paid and how it will meet its liabilities. We have also included new requirements that require monitoring bodies to check with potential code members that they are not subject of ICO investigation or regulatory action, that the monitoring body will take into consideration as part of its monitoring arrangements complaints about code members and current or recent ICO investigations or regulatory action.

We have also updated our guidance to reflect these changes.

At a glance

All codes of conduct, whether public or private, must contain suitable ways to effectively monitor compliance with the code and take appropriate action in cases of infringement. These methods need to be clear and efficient.

Codes of conduct covering private or non-public authorities must also identify a monitoring body who will fulfil the monitoring requirements. This body can carry out compliance monitoring against a code of conduct where it has appropriate expertise and is accredited (approved) to do so by the ICO.

Monitoring bodies may be:

internal - they may be a separated, independent part of the code author organisation; or
external they could include audit, monitoring, consultancy or other bodies, as long as they fully meet all the accreditation requirements.

In brief

What are the accreditation requirements?
What supporting documents are required?
How can we demonstrate independence for an internal monitoring body?
What is the monitoring body assessment process?
What are the timescales?
What is the code review process?
What are the reporting requirements to the ICO?
Can a monitoring body be added to a code of conduct later on?
What about complaints?
What about appeals?
Could a monitoring body be fined for UK GDPR infringements made by code members?
Can the monitoring body accreditation be revoked?
How do we apply for accreditation?

What are the accreditation requirements?

You must submit all applications for monitoring body accreditation in English or Welsh with all supporting documents to the ICO and must demonstrate that as a monitoring body you:

are appropriately independent from code owners considering specifically your legal and decision-making procedures, financial, organisational and accountability arrangements;
can act free from sanctions or external influence to ensure that no conflict of interest arises;
have the required knowledge and expertise;
have established procedures, structures and resources for the monitoring of compliance with the code;
have an open and transparent complaints handling and appeals process to receive, evaluate, track, record and resolve complaints and appeals;
will communicate to the ICO any code member infringements that lead to suspensions or exclusions and any substantial changes to your own status;
will review the code to ensure that it remains relevant and up to date; and
have appropriate legal status.

There are a number of requirements that you need to meet in order to gain ICO accreditation and these are set out in further detail within the accreditation requirements document.

What supporting documents are required?

You need to provide evidence to support how you meet the criteria set out above and in particular that:

you are independent from the code owner and code members, for example, information barriers, separate reporting management structures, formal rules and procedures for staff appointment, etc;
you have a risk assessment process to ensure that no conflict of interest arises;
you have an in-depth understanding, knowledge and experience of the specific data processing activities outlined in the code, the sector and required data protection expertise. This could include but is not limited to evidence to support your status as a trade association/representative body, your personnel training/qualifications and evidence requirements as outlined in the code of conduct;
your procedures and structures allow you to assess the eligibility of code members to apply for code membership and comply with code requirements, ensure potential code members are not subject of any ICO investigation or regulatory action that might prevent code membership being issued, and provide periodic compliance monitoring period and evidence your procedures for management of code member infringements;
you have a complaints handling process for complaints about code members, complaints against yourself and your appeals handling process;
you have a process for communicating suspensions or exclusions of code members to the ICO and process for reporting substantial changes to the ICO;
you have plans and procedures to review the operation of the code, provide the ICO and the code owner with an annual report on the code’s operation and apply code updates as instructed by the code owner; and
your legal status ensures that you have the appropriate standing to meet the requirements of being fully accountable in your role and have sufficient financial and other resources to fulfil your monitoring responsibilities.

How can we demonstrate independence for an internal monitoring body?

A code owner will have to demonstrate how the monitoring body can remain impartial from, code members, the profession, industry or sector to which the code applies.

How this will work in practice will vary depending on the code topic, the sector and the organisations involved so there is no universal approach to demonstrating independence.

Code owners will need to consider the risks to impartiality and demonstrate how they will minimise or remove these risks on an ongoing basis.

We expect that in some cases existing models of self-regulation or co-regulation familiar to representative bodies and trade associations may be adapted to meet these requirements. Existing good practice in these areas could all help to prove impartiality, such as:

being able to evidence the ability to act free from inappropriate influence;
separate decision-making arrangements;
separate staff and governance reporting lines;
separate funding arrangements or budget management; and
technical measures, such as information barriers.

What is the monitoring body assessment process?

We anticipate that the monitoring body accreditation will take place at the same time as the code of conduct approval. However, there will be two separate application processes for monitoring body accreditation and code of conduct assessment.

A monitoring body will need to make an application for accreditation to ensure that these requirements are met.

The ICO will fully review the application form to ensure that it meets all accreditation requirements. If further information is required, we will request this from the code owner or the monitoring body, as appropriate.

We will notify you in writing whether the accreditation requirements have, or have not been met, with reasons to support the conclusion.

What are the timescales?

In most cases the accreditation of a monitoring body will take place alongside the approval of a code of conduct. Therefore, we anticipate that once the application for monitoring body accreditation is formally submitted, the process should take no longer than 8-12 weeks.

What is the code review process?

A code owner should review the code of conduct to ensure that its content remains relevant and up to date. The monitoring body will contribute to this review, as required by the code owner. You should therefore document plans and procedures which include providing the code owner with an annual report on the operation and relevance of the code.

If the code owner needs to make any amendments or extensions to the code, they should let the ICO know in writing at [email protected].

What are the reporting requirements to the ICO?

You are required to notify the ICO of any suspensions or exclusions of code members. It is envisaged that suspension or exclusion of code members will only apply in serious circumstances and code members will first have the opportunity to take suitable corrective measures. You are required to immediately notify the ICO of:

any suspensions or exclusions of code members, providing a summary outlining details of the infringement and reasons for the action taken, in line with the suspension/exclusion process’
any procedure for lifting suspension or exclusion of a code member.

You should also notify the ICO immediately and without delay about any substantial changes to your ability to function independently and effectively, your expertise and any conflict of interest. Substantial changes will result in a review of your accreditation. Substantial changes may include changes to:

legal, financial, commercial, ownership or organisational status and key personnel;
resources and any changes to UK legal entity; and
any changes to the basis of meeting any of the accreditation requirements.

Can a monitoring body be added to a code of conduct later on?

A code of conduct for a private/non-public authority cannot be approved without a monitoring body accredited by the ICO. However if you wish to add an additional monitoring body after the code has been approved you will be required to make a separate application for accreditation and demonstrate that the new body meets all the monitoring body accreditation requirements, as described above.

What about complaints?

You should have a documented process to receive, evaluate and make decisions on complaints received about code members and complaints made about your own activities.

The ICO expects that any complaint is first addressed by you, even if it was directed to us. We normally expect you to resolve non-complex complaints within three months.

Your complaints handling process should be clear, transparent, publicly available and should meet the requirements for accreditation. This includes a requirement to maintain a record of all complaints and the actions taken, which the ICO can access at any time.

What about appeals?

You should have a documented process to receive, evaluate and make decisions on appeals that may be made by a code member or potential code member concerning membership, suspension or exclusion. This process should be clear, transparent, publicly available and meet the requirements for accreditation.

Could a monitoring body be fined for UK GDPR infringements made by code members?

No, a monitoring body is responsible for checking code members’ compliance with the code requirements.

A monitoring body could be fined for UK GDPR infringements in its own capacity as a data controller but is not responsible for the GDPR fines of a code member.

Can the monitoring body accreditation be revoked?

Under Article 41(5) the ICO must revoke (withdraw) the accreditation of a monitoring body if the requirements for accreditation are either not met, no longer met, or where actions taken by the body infringe the UK GDPR.

The consequences of revoking the accreditation of the monitoring body will be the suspension, or permanent withdrawal, of the monitoring body from the code. This may adversely affect the compliance, reputation or business interests of code members, and may result in a reduction of trust by their data subjects or other stakeholders.

Where possible, before revoking accreditation, the ICO will provide the opportunity to address issues, or make improvements as appropriate, within an agreed timescale.

Revocation of accreditation of a monitoring body may apply in a number of serious circumstances, for example:

contravention of key monitoring body requirements such as seriously breaching their expected independence and expertise, serious conflict of interest issues, or absent monitoring of code member compliance;
unacceptable volumes / nature of complaints about the monitoring body, received from code members or others, or the monitoring body’s lack of action in addressing complaints about their code members; and
other serious or adverse activities undertaken by the monitoring body, as disclosed by the press or other public platform, which brings the body into disrepute.

How do we apply for accreditation?

You should have already spoken with the code owner regarding the code for which you will become the monitoring body. If you have already made contact with the ICO for an informal discussion regarding your accreditation and you are ready to make an application please complete the application form below and submit to us via [email protected].

In more detail - European Data Protection Board

EDPB guidelines are no longer directly relevant to the UK regime and are not binding under the UK regime. However, they may still provide helpful guidance on certain issues.

The European Data Protection Board (EDPB), which has replaced the Article 29 Working Party (WP29), includes representatives from the data protection authorities of each EU member state. It adopts guidelines for complying with the requirements of the GDPR.

EDPB ‘Guidelines 1/2019 on Codes of Conduct and Monitoring Bodies under Regulation 2016/679'