Do you run a UK company, partnership or sole proprietorship in which you collect and keep data that identifies individuals? Then you need to notify the Information Commissioner’s Office and pay a small annual fee.
The Data Protection Act 1998 requires every business obtaining, recording, storing, updating and sharing personally identifiable information of any living European citizen to register with the ICO as a data controller.
It is a criminal offence not to register if your business fits this description.
They have the power to levy fines on organisations responsible for the most serious failings, including data breaches and nuisance electronic communications where there is damage and distress, or at least a very real risk of it.
The good news is, ICO registration isn’t very expensive, even for us small businesses. Until April 1st 2018 the lowest and most widely applicable cost to a small UK Company or sole proprietor is £35, but in come cases exemption applies depending on your business activity.
More on this in a few minutes.
Planned Changes to the Annual ICO Fee in 2018
The £35 notification fee will be replaced by a comparable “Tier 1” data protection fee of up to £55 from April 1st 2018 as part of a number of changes in preparation for the the 2018 data protection refresh (GDPR and ePrivacy).
The forthcoming data protection fee system is based on three tiers and was decided upon by the Department for Digital, Culture, Media and Sport (DCMS). Once again, the fee system will be based on the size of the organisation, turnover, amount of data being processed and the risks associated with that data.
If you pay your £35 annual notification fee before April 1st 2018, that will cover you for a whole year; no need to pay the data protection fee in addition.
The following year you would renew under the Tier 1 and begin paying the higher yearly rate of up to £55.
How to Register
You can register online and select your payment type, but you won’t be asked to pay immediately.
You’ll receive an email with payment instructions for the following methods:
- Online form
- Direct debit instruction
Once you’ve paid, the application will be processed, which takes a few days. They’ll email you to confirm receipt of payment.
Your own name or company name will be used as the “Organisation Name” and is made publicly available in the Data Protection Register along with an assigned ICO number.
You can use a virtual office address for inclusion in the public register. That means any of you that work from home can maintain your privacy.
By the way, it’s not a legal requirement to display the ICO registration number on your website, but you might want to anyway to show proof of registration.
Who Does NOT Need to Register with the ICO?
I’ve been looking for any examples of businesses that do not handle personal data whatsoever and would therefore be exempt from registering.
Here’s a few examples – assuming they do not and never intend to collect and keep data :
- A door to door window washer
- A roadside mobile food catering unit
- A market stall trader
How Your Business is Assessed
When you register your business with the ICO, they will use their organisational descriptions to assess the nature of the work you do.
During the registration process, you will be required to select a template description of your work which you have the option to edit to be more specific about the information you process.
For example, web designer comes under “Other” at the bottom of this document.
That document shows a description of the nature of the work of a typical web designer and how the processing of personal data serves the legitimate interests of such a business.
Because I am registered with HMRC as a sole trader, I registered with the ICO as a single legal entity under my own full name. If I were running multiple Companies, I would be registering each of them as separate entities and paying individual annual ICO fees for each.
What You Do with Personal Information
You might receive personal information via email, social media, forums, telephone and in person. These details might be kept in a spreadsheet or on paper, which is the case for myself.
This data includes names, email addresses, phone numbers and the particulars of potential and current projects, all kept for “legitimate interests” (the running of my business).
With explicit verbal permission, some of these individuals’ email addresses are manually added to my Mailchimp mailing list.
This all counts as data processing and needs to be taken into consideration during the ICO registration process.
Most small businesses are data processors as well as data controllers. The definitions are explained in more detail on this page.
Transferring Information Overseas
Because the email subscription list service I use is American (MailChimp), it means the personal data of the recpients (name, email and anything else I collected) is being stored outside the European Economic Area (EEA).
MailChimp’s servers are based in the United States.
Therefore I checked “Yes” to the question about transferring data overseas in Step 2 of registration. If you don’t think you’re transferring data outside the EEA, think again.
WordPress plugins such as Gravity Forms store contact form submissions in the WordPress database. What hosting service do you use to run your WordPress site and what country is that service based in? You may find you’re storing information outside the EEA.
If you are taking business enquiries and then storing that information, you are collecting and processing personal information, making you a controller with legal data protection obligations.
These obligations may or may not have been met even if you’ve been in business for some time, so take the steps needed to resolve this if you haven’t already.