24 February 2020
Registering with the ICO
By Susan Doe
The UK data protection regulator, the Information Commissioner’s Office (ICO), announced on 3 December 2019 that they will be contacting ALL registered UK companies to remind them of their legal responsibility to register with ICO as a Data Controller and pay a registration fee.
The blog entry on the ICO website is headed ‘Data Protection fee: does your company need to pay?’
In short, the answer to that question is very likely to be ‘yes’. All organisations that process personal information are – by law – required to pay a fee to the ICO, unless they are exempt. The fee is determined by the size of organisation and turnover, and for the vast majority of small businesses will be £40 (reduced by £5 if you set up a direct debit).
To make sure you are paying the correct fee, fill in the self-assessment form on the website. https://ico.org.uk/for-organisations/data-protection-fee/self-assessment/
You can fill in the online form to register or to tell them why you think you are exempt. It is advisable to do this before you are contacted. The ICO can, and have, issued penalties to companies who have not paid their fee.
Small businesses and any organisation that has not previously registered with the ICO will want to make sure their business is dealing with data protection properly.
The General Data Protection Regulation (GDPR) which came into force in May 2018, and its related UK legislation, the Data Protection Act 2018, replaced a law which was two decades old and we all know that technology and the use of personal data has changed a lot during that time. You would find it difficult to find any sort of business that does not process personal data these days, and it is that processing – collecting, storing, recording, using – of personal data (anything that identifies an individual) that will bring a business under the auspices of the legislation.
Important things to point out
- This aspect of data protection law will likely continue in the same form, irrespective of Brexit
- In order to process ANY personal data, you need to have a legal basis for doing so. Think your processes through and allocate one of the six reasons – consent, contract, legal obligation, vital interest, public interest, legitimate interest.
- There are rules for when a business needs to appoint a Data Protection Officer (and remember that this role can be outsourced). Even if this role isn’t required it would be good business practice to have a team member who is responsible for keeping up to date with the subject.
- All staff should be trained – at the very least to recognise data breaches and how to report them, and to recognise a Subject Access Request from an individual. Both have tight deadlines for responding.
If you are unsure of your responsibilities regarding data protection, please refer to the ICO website here: www.ico.org.uk
© Naomi Korn Associates, 2020. Some Rights Reserved. The text is licensed for use under a Creative Commons Attribution Share Alike Licence (CC BY SA)