How much does your business rely on data? Is any of it personal? Do you process it? If your answer to these questions is yes, you should be a registered data controller with the Information Commissioner’s Office (ICO) regardless of the size of your organisation. Many businesses conduct numerous processes relying on personal data on a daily basis, but do not realise they must inform the ICO of the general purpose and means of these dealings in advance. The fee is £35 but a failure to complete the process is a criminal offence as stipulated by the Data Protection Act 1998 (DPA) – see sections 17 and 19 for further information.
“Personal data” is defined as data which relates to a living individual who can be identified from that data, and from the data and other information which the data controller has in possession, or might receive later. This means personal names, email addresses, physical addresses, phone numbers – a group of identifiers which has become even more difficult to make exhaustive in the Internet era (IP addresses for instance are also personal data). Moreover, “processing” has been given a wide meaning to include both the active use of personal information, alteration, disclosure, erasure, to the mere holding and storage of it. The data controller is held responsible for the fair and lawful processing of data as under the DPA because he (jointly and in common with other persons) determines the purpose and the manner in which it is or will be processed by the data processor.
Under the present version of the DPA the data controller is responsible for upholding the eight data protection principles – thus a data processor could in theory escape liability. However, once the General Data Protection Regulation (GDPR) comes into force in 2018, the data controller and data processor will share the same data protection responsibilities.
Take the self-assessment on the ICO’s website to confirm whether you are indeed a data controller in light of what your business does with personal data.
Registration is only the first step towards building a strong data protection framework at your organisation. Next steps include but are not limited to: ensuring that your team has basic knowledge and understanding of data protection laws, and that you have made reasonable and proportionate efforts to comply with all data protection principles (this is determined on a case-to-case basis); that you are preparing for the changes the GDPR is going to introduce regardless of Brexit; are reviewing your Privacy and Cookie Policies on a regular basis, and make the necessary amendments to data protection clauses in all contracts you enter into.
The information presented is not legal advice, is not to be acted on as such, may not be current and is subject to change without notice. Internet subscribers and online readers should not act upon this information without seeking professional counsel.