There seems to be some confusion out there about the requirement to register with the ICO – the Outsourced DPO was asked about this on four separate occasions last week.
If you cast your mind back, articles 18 and 19 of the Data Protection Directive (Directive 95/46/EC) contained an obligation for data controllers to notify the supervisory authority. Part 3, (sections 16 to 26) of the DPA98 implemented this requirement leading the ICO to create and maintain a register of data controllers.
The Outsourced DPO bleated on for years about the lack of notification by organisations and the lack of action by the ICO in this regard. In fact, between 2008 and 2012, the Outsourced DPO carried out an annual survey of notifications in the professional sports industry reviewing 250 professional sports clubs and sports governing bodies including leading football, rugby, and cricket clubs and consistently found a mere 10% of clubs had registered as data controllers with the ICO.
It came as no surprise that Recital 89 of the GDPR pretty much said that the notification scheme envisaged by the Directive had not worked and should be abolished and replaced with more effective procedures and mechanisms such as the Outsourced DPO’s favourite topic, records of processing activities.
People who think that the GDPR contains requirements for registration with the ICO are mistaken – all of that went when the Directive and DPA98 were repealed in May 2018.
The requirement to register with the ICO and pay a registration fee is in fact provided for in The Data Protection (Charges and Information) Regulations 2018. These bear many similarities to the previous DPA98 regime so people can be forgiven for any confusion.
Essentially, this regulation requires data controllers to register with the ICO and contain many of the exemptions that were prevalent in the old regime. For example, if a data controller is only undertaking processing for the purposes administration of employees, volunteers or contractors; the purposes of advertising, marketing and public relations of its own activity, goods or services; and the purposes of keeping accounts of transactions, making financial or forecasts or evaluating suppliers and customers (other than credit checking) they are exempt from notification. Please ensure you check your own use case as the Outsourced DPO has simplified these exemptions.
The questions that have recently arisen are:
- Do we need to register as a data processor? Answer is “no” but you do as a data controller unless you are exempt.
- We are a group of companies, can we do a group registration? Answer is “no” – each data controller must register unless they are exempt.
- We are a small company employing under 250 people. Do we need to register? Answer is “yes” unless you are exempt.
- We undertake the three exempt processing activities listed above in addition to having dash cams in our vans. Are we exempt? Answer is “no”, operating dash cams is not a form of processing included in the exemptions.
- We have a shell company that is a data controller but only processes personal data for employment purposes are we exempt? Answer is “yes”, but please ensure that the processing activities really are that limited and remain so.
So, hopefully that clears up the questions but please don’t hesitate to contact our support desk if you have any questions.