What you need to do.

The GDPR encourages trade federations to establish codes of conduct. These codes of conduct turn the (general) rules of the regulation into concrete rules of the game that take into account a sector’s specific processing activities as well as the needs of SMEs. Such codes can therefore save the members a lot of time and money. When such codes comply with article 40 GDPR, they can be approved by the data protection authority concerned. As a result, they become binding upon those companies that have adhered to the code. This offers important benefits under the GDPR as well.

Currently there is still remarkably little discussion about (either binding or voluntary) codes of conduct.  That is not really surprising with regard to binding codes of conduct. The rules that such codes have to satisfy probably constitute a high threshold for many trade federations, and so the European Data Protection Board is working on guidance in this respect. However, this does not prevent trade federations from already giving their members concrete assistance today.  

What you(r trade federation) need(s) to do.

Many trade federations have (reluctantly) started providing guidelines and templates to their members. We nevertheless notice that many companies (and especially SMEs), even after 25 May 2018, are trying to tackle GDPR obligations on their own. Yet this is not the most time and cost efficient way to go about it.

How can trade federations effectively help your company? Many data processing activities are more or less the same for every company. Furthermore, each sector has its own specific processing activities. For example, management of supplier contacts or staff administration, but also the use of sensitive data by banking and insurance brokers for payment of compensation after an accident.

General guidelines and models provided by a trade federation are good, but concrete analyses and already-completed templates are better. For example, already-completed records of processing activities, the assessment regarding the appointment of a data protection officer, a list with concrete data protection measures (such as what data can be pseudonymised and how), etc. Naturally, it remains the responsibility of each company within the federation to verify that it does not depart from the “standard” processing activity. However, in most cases such a check will require much less time and expense than conducting the entire exercise from scratch.

In the meantime, a lot of experience has been gained with respect to GDPR. Get in touch with your trade federation and ask them to share this experience with their members. Encourage your trade federation to draw up codes of conduct and have them approved by the competent data protection authority, in so far as that may be useful for your sector (a question you can also ask your federation).