Adhering to GDPR codes of conduct: A possible option for SMEs to GDPR certification

The paper shows that adherence to a code of conduct (CoC) offers small and medium enterprises (SMEs) an interesting option to a certification obtained under Article 42 of the General Data Protection Regulation (GDPR). Adhering controllers or processors benefit from similar rights to the one attached to certification without having to demonstrate conformity with the content of the CoC. Moreover, CoCs offer a set of customised guidelines, approved by a data protection authority (DPA(s)) that are accessible for free and designed to facilitate GDPR implementation. The functional scope that might be covered by CoCs is already wider than the one offered by certification, allowing controllers and processors to demonstrate compliance with a broader range of GDPR requirements. Nevertheless, using a CoC instead of certification presents some disadvantages. CoCs have a sectoral coverage limiting availability to the covered sectors. The adherence to a CoC does not grant any seal to signal compliance to end users. The likely competition between national business representatives to draft their own CoC entails the risk of inconsistencies between one member state and another. This risk is fostered by the absence of mutual recognition between national CoCs and the absence of mechanisms to prevent duplicates at national and European levels. The option chosen by the European lawmaker to entrust the accreditation of monitoring bodies to the DPA leaves some questions open on the capacity of DPAs to handle that task. Many of them have already complained about the shortage of resources, and accreditation will require hiring additional specialised profiles. Nevertheless, adhering to a GDPR CoC, when available, offers advantages over certification that should be considered by SMEs when they seek to comply with the accountability requirement set by the GDPR.