The Data Protection Act 1998 requires every data controller (eg Organisation, Sole Trader) who is processing personal information to register with the Information Commissioner’s Office (ICO), unless they are exempt. More than 490,000 Organisations are currently registered.
‘Personal information’ means any detail about a living individual that can be used on its own, or with other data, to identify them. ‘Processing’ includes doing any of the following with the information:
Updating it; and
The cost of your data protection registration depends on your size and turnover, but for most businesses it costs £35.
You will only need to pay £500 if you have:
Some Organisations only pay £35 regardless of their size and turnover. These are:
The General Data Protection Regulation (GDPR)
One of the regulatory requirements missing from the GDPR is the requirement to register your data processing activities with a supervisory authority (the ICO in the UK).
If you are thinking that under GDPR you do not need to register, or pay a fee for registering, you’re going to be disappointed.
When the new data protection legislation comes into effect on 25th May this year, there will no longer be a requirement to notify the ICO in the same way. However, the recently passed Digital Economy Act 2017 contains provisions (Part 6) on “Charges payable to the Information Commissioner” which enable the Government to introduce Regulations for a charging and registration regime for the ICO.
The Data Protection Bill (to be enacted as the Data Protection Act 2018) section 132 “Charges payable to the Commissioner by controllers” also allows for Regulations to be made by the Secretary of State which require controllers to pay charges of an amount specified in the Regulations to the Commissioner.
Therefore, the Digital Economy Act and upcoming Data Protection Act 2018 means it will remain a legal requirement for data controllers to pay the ICO a data protection fee and be registered.
These fees will be used to fund the ICO’s data protection work. As now, any money the ICO receives in fines is passed directly back to the Government.
The new system will aim to make sure the fees are fair and reflect the relative risk of the Organisation’s processing of personal data. The size of the data protection fee will still be based on the Organisation’s size and turnover and will also take into account the amount of personal data it is processing.
If you are a data controller for the purposes of the Data Protection Act 1998 and you have not notified the ICO, are not entered on the data protection register and are not exempt, you are committing an offence of Failing To Notify under section 17 of the Data Protection Act 1998.
Triforce Recruitment Ltd was prosecuted at Westminster Magistrates’ Court for committing the offence of Failing To Notify under section 17 of the Data Protection Act 1998. The Company, who provides career opportunities for service leavers and ex-forces personnel, was found guilty in its absence for the offence of processing data without having an entry in the data protection register. The company was fined £5,000 and ordered to pay costs of £489.85 and a victim surcharge of £120.
It is therefore essential to register your Organisation with the ICO if you are processing personal information to avoid prosecution and fines both now and following the implementation of the Data Protection Act 2018.
For more information on registering with the ICO or advice on the upcoming GDPR please contact; Andrew Swan - Head of Regulation and Financial Crime or Sheila Ramshaw- Specialist in Regulation at Short, Richardson & Forth on 0191 232 0283.