UPDATED January 2021 – Please click here to read the latest version of this article
Many companies are at risk of committing a criminal offence and attracting bad publicity by failing to register (notify) under the Data Protection Act. Notification to the Information Commissioner’s Office (ICO) under the Data Protection Act is a relatively straightforward step. On the other hand, failure to notify is publicly visible – because firms which have registered are on the searchable register on the Information Commissioner’s website which contains the name and address of data controllers and a description of the kind of processing they do – and could also betray a failure to comply with Data Protection requirements more generally.
The Data Protection Act requires every data controller who is processing personal information to register with the ICO, unless they are exempt. Failure to notify where required to do so is a criminal offence.
The Act largely covers personal data held on computer, but it also manual data that is held within a structured filing system.
Most organisations that handle personal information must register (notify) with the ICO. There is no need to register if you handle personal data only for core business purposes of staff administration, advertising marketing and PR and accounts and record keeping. So long as processing remains strictly within these limits, then there is no need to register. However, even if you are exempt from registration you must still comply with the other provisions of the Act, and it may be advisable to register voluntarily for public transparency and in case any of your processing should extent beyond the scope of the exemptions (so as to avoid the criminal offence of processing without notification).
Registration cannot, as yet, be effected online in the UK but the forms may be completed using the standard templates available from the ICO website and, once completed online, may be printed off, signed and sent with the appropriate fee to the ICO. The fee is £35 but for larger data controllers with an annual turnover of £25.9 million and 250 or more members of staff, the fee is £500.
The ICO does not seek to verify the contents of the notification and cannot refuse registration. However, in the event of any sort of regulatory action following for example a complaint about data protection, the ICO may check that the notification is accurate and take enforcement action if it is found to be incomplete.
Notifications are renewable annually. There is no such thing as a parent company registration, which means that each data controller within a corporate group must register. The data protection register can be searched on the ICO website at https://ico.org.uk/ESDWebPages/Search
Contact us if you need any assistance with notification.