Have you Registered as a Data Controller?

Following the recent referendum businesses and organisations may be of the view that protection of personal data originating from an EU measure is not a particular concern to them. The ICO, however, have reconfirmed that it is business as usual by continuing to sanction data protection law violations, as experienced first-hand by telecommunications company Bizcall Communications Limited.

Personal data is ubiquitous in the contemporary world, and nearly all organisations process data at some point, be it storing client information or recording CCTV footage. Thus, most businesses must comply with the Data Protection Act 1998 (DPA), which defines UK law on the processing of data on identifiable living individuals.

As part of this compliance, it is a legal requirement for a business to register as a data controller if it collects, uses and keeps personal information.

What is the register?

The register is maintained by the Information Commissioner’s Office (ICO – the independent body established in the UK to uphold information rights in the public interest), and is published online for all to search. The register shows the name and address of data controllers, in addition to a description of the kind of processing they do.

Why should I register?

Besides the obvious adverse publicity and reputational damage of non-compliance with data protection law, failure to register as a data controller can result in an unlimited fine. As an example, Bizcall, a telecommunications company, were prosecuted for the serious offence of processing personal data without having registered with the ICO, which indicates the ICO’s intention to persist in applying the DPA regardless of our current ‘European’ status.

The company were found guilty of the offence and forced to pay more than £1,000 in fines and costs.

Such fines could have been avoided had Bizcall registered their organisation with the ICO using an online form that should take approximately 15 minutes to complete. The registration process is inexpensive with a cost of just £35 for most businesses (contrary to the fee that some companies will charge to register an organisation by proxy), with a larger £500 fee applying to organisations with a turnover of £25.9 million and 250 or more members of staff, and to public authorities with 250 or more members of staff.

Who has to register?

Any organisation or individual that collects, uses and keeps personal information must register with the ICO as a data controller.

However, there are some exceptions, which include those who process personal data for the following purposes: staff administration; advertising; marketing and public relations for their own business; accounts and records; judicial functions; personal, family or household affairs; maintenance of a public register.

Nevertheless, even if an organisation is exempt from the requirement of registration, they must still comply with other provisions of the DPA. In this connection, it may be worth registering with the ICO, regardless of exemptions, for both transparency purposes and in terms of financial risk, as £35 is a much more palatable price to pay than the fine inflicted on Bizcall.

Organisations and business should also consider additional measures they may be required to take to ensure compliance with the General Data Protection Regulation, which is set to enter into force in 2018. At present there may be some uncertainty as to how this EU measure will be implemented. However, the ICO has recommended that organisations and business should start preparing for these changes as reform of data protection law is likely to occur.

Forbes Solicitors regularly provide advice to public authorities, providers of social housing, charities and business regarding the Data Protection Act 1998. If you have any questions, please contact Daniel Milnes.


Nat Avdiu

About Nat Avdiu

Nat Avdiu is a Paralegal in the Contracts and Projects team at Forbes Solicitors. Nat provides updates for clients on a range of issues including: governance, data protection and freedom of information, procurement and charity law.
This entry was posted in Housing Litigation and tagged , , , , , , , , , .