Data Protection and Registering with the ICO

Data Protection

What is a ‘controller’?

A controller is usually an organisation, or a sole trader that collects, processes, and handles data. As the controller, they are responsible for ensuring that the processing of said data complies with UK laws and regulations.

What is a ‘data subject’?

A data subject is the technical term for the individual the personal identifiable information is regarding.

Data protection is not just a legal necessity, but crucial to protecting and maintaining your business. Regardless of how your organisation stores or handles data, any identifiable information regarding an individual needs to be protected. Simply put, information and personal data information in the UK is protected by law such as the Data Protection Act 2018 (DPA) and the General Data Protection Regulation (GDPR).

GDPR vs DPA

In short, the DPA 2018 (Data Protection Act) was introduced in 1995 as a UK equivalent to the EU's 1995 Data Protection Directive – the General Data Protection Regulation (GDPR) came into effect in 2018, designed as a direct replacement for the Data Protection Act.

Data Protection Act 2018

The DPA 2018 sets out the framework for data protection law in the UK, updating and replacing the Data Protection Act from 1998 and was amended on the 1st January 2021 to reflect the UK’s status outside the EU.


The DPA sits alongside and supplements UK GDPR - for example by providing exemptions. It also sets out separate data protection rules for law enforcement authorities, extends data protection to some other areas such as national security and defence, while setting out the Information Commissioner’s functions and powers.

What data needs to be protected?

Key pieces of information that are commonly stored by your business, be that employee records, customer details, loyalty schemes, transactions, or data collection, need to be protected. This is to prevent that data from being misused by third parties for fraud through social engineering attacks (i.e., phishing scams and identity theft).

Common data that your business might store or process, may include:

• Names
• Addresses
• Emails
• Telephone numbers
• Bank and credit card details
• Health information

This data contains sensitive information that could relate to your: current staff and their partners or next of kin; shareholders, business partners and clients; customers and other members of the public. Protecting all this information, in accordance with the Data Protection Act, requires businesses to adhere to specific principles.

Principles

The Data Protection Act contains a set of principles that organisations, government, and businesses must adhere to, so data remains accurate, safe, secure, and lawful.

These principles ensure data is:

• Only used in specifically stated ways
• Used only in relevant ways
• Kept safe and secure
• Not stored for longer than necessary
• Used only within the confines of the law
• Stored following people’s data protection rights
• Not transferred out of the European Economic Area

There are stronger legal protections for more sensitive information, such as:

• Race
• Ethnic background
• Political opinions
• Religious beliefs
• Trade union membership
• Genetics
• Biometrics (when used for identification)
• Health
• Sex life or orientation
  

GDPR

The introduction of the GDPR represents the most significant shift in data security standards for several decades and although many of the underlying principles remain the same as the DPA, the fact remains that GDPR's scope is far more comprehensive and wide-reaching, meaning businesses will need to amend their data protection policies accordingly - or potentially face serious consequences.
GDPR is a UK law which came into effect on the 25th of May 2018. It sets out the key principles, rights, and obligations for most processing of personal data in the UK, except for law enforcement and intelligence agencies.


It is based on the EU GDPR (General Data Protection Regulation (EU) 2016/679) which applied in the UK before that date, with some changes to make it contextually work more effectively in the UK.
You may need to comply with both the UK GDPR and the EU GDPR if you operate in Europe, offer goods or services to individuals in Europe, or monitor the behaviour of individuals in Europe. The EU GDPR is regulated separately by European supervisory authorities, and you may need to seek your own legal advice on your EU obligations.

If you hold any overseas data collected before 01 January 2021 (referred to as ‘legacy data’), this will be subject to the EU GDPR as it stood on 31 December 2020 (known as ‘frozen GDPR’).

Data Protection Officer (DPO)

GDPR dictates that you must appoint a DPO if you are a public authority or body, or if you carry out certain types of processing activities such as regular and systematic monitoring of individuals, or large-scale processing of sensitive data.


Although other businesses are not legally required to have a DPO, the ICO recommends every business appoints a DPO to comply with GDPR and avoid fines.

Benefits of outsourcing DPO responsibilities

• Provides independent advice - Obtain the insight and impartial advice needed to set your organisation’s cyber security goals and budget.
• Measures security effectiveness - Better understand the effectiveness of existing security controls and procedures and receive help communicating risks to key stakeholders.
• Informs strategic improvements - Gain the insight you need to identify and implement the security improvements that will be of greatest benefit to your organisation.
• Supports regulatory compliance - Better understand the latest data and information security standards, how they apply to your business, and the controls needed to comply with them.

Can I outsource my DPO responsibilities?

Outsourcing a data protection officer is more cost-effective than an internal hire, particularly as you only pay for the time you require, (save on overheads, holiday cover etc). You also benefit from access to a wide team of certified GDPR practitioners, data protection professionals and technical experts rather than limiting your business to the experience of one individual.

If you would like to know more about a Virtual Data Protection Officer, you can learn more here or get in touch with one of our cyber experts today and we’ll be happy to assist you.

Registering with the ICO

The ICO (the Information Commissioner's Office) is an independent body dedicated to upholding information rights in the public interest and data privacy for individuals in the UK. The ICO enforce the provisions of the Data Protection Act and the GDPR as well as other important pieces of legislation such as the Freedom of Information Act and the Privacy and Electronic Communications Regulations.


One of the main aims of the ICO is to ensure that organisations comply with data protection laws. This entails making sure they process personal information in a fair and transparent manner that respects rights of the data subject. The ICO has a duty to investigate complaints from members of the public and can impose hefty fines on businesses that are seen to be flouting data protection rules.

Do I need ICO registration?

As part of the Data Protection Act, any entity that processes personal information will need to register with the ICO and pay a data protection fee unless they are exempt. This is the case for every type of company from sole traders and SMEs through to multinational corporations.

However, you are not required to register with the ICO and pay a fee if you are only processing personal data for staff administration, accounts and records, not-for-profit reasons, personal or family affairs, and advertising, marketing and public relations purposes. Though unlikely, you are also exempt if you only keep paper records and do not use an automated system such as a computer to process personal information.
Even if you fall into one of these categories but your business uses CCTV for crime prevention purposes, you will still need to register and pay the fee.

You can use the ICO self-assessment form to determine if you are exempt or not.

What is the data protection fee?

If you aren’t exempt, you’re required to pay a yearly fee that’s set by Parliament. The fee depends on the size of your business - most notably, how many staff you employ and your annual turnover.

There are three payment tiers ranging from £40 to £2900 - most businesses will pay either £40 or £60 per year. It may be best to opt for a direct-debit payment method, ensuring your organisation does not forget to renew the following year.

The three payment tiers and the associated annual costs are:

Tier 1 - micro-organisations - If you have a maximum turnover of £632,000 for your financial year or no more than 10 employees, the fee is £40.

Tier 2 - small and medium organisations - If you have a maximum turnover of £36 million for your financial year or no more than 250 employees, the fee is £60.

Tier 3 - large organisations - If you exceed the figures stated in tiers 1 and 2, you will be in tier 3 and the fee is £2,900.

However, one exemption is that charities and small occupational pension schemes pay £40 regardless of their turnover or staff numbers.

Registering with the ICO

You can pay your data protection fee online via the ICO website. If it’s the first time you’re submitting a payment, you’ll need to fill out a form. This can take around 15 minutes. You’ll need your company registration number (if you have one), the number of employees you have, your contact details, and your bank or card details.

ICO registration check

Businesses that don’t adhere to data protection rules and fail to pay their yearly fee can be fined up to £4,350 by the ICO, so, it is always the best practices for your organisation to pay the smaller yearly fee.

On top of this, the ICO publishes a list of all fee-paying companies. So, if your business isn’t on that list, it becomes obvious to your customers and suppliers quite quickly.

Paying the fee and getting yourself on the list not only helps you avoid financial penalties, but it’s also seen as a sign that you’re aware of your data protection obligations.