Data Protection Registration and Fees

By David Hendry

There seems to be some confusion out there about the requirement to register with the ICO – the Outsourced DPO was asked about this on four separate occasions last week.

If you cast your mind back, articles 18 and 19 of the Data Protection Directive (Directive 95/46/EC) contained an obligation for data controllers to notify the supervisory authority.  Part 3, (sections 16 to 26) of the DPA98 implemented this requirement leading the ICO to create and maintain a register of data controllers.

The Outsourced DPO bleated on for years about the lack of notification by organisations and the lack of action by the ICO in this regard.  In fact, between 2008 and 2012, the Outsourced DPO carried out an annual survey of notifications in the professional sports industry reviewing 250 professional sports clubs and sports governing bodies including leading football, rugby, and cricket clubs and consistently found a mere 10% of clubs had registered as data controllers with the ICO.

It came as no surprise that Recital 89 of the GDPR pretty much said that the notification scheme envisaged by the Directive had not worked and should be abolished and replaced with more effective procedures and mechanisms such as the Outsourced DPO’s favourite topic, records of processing activities.

People who think that the GDPR contains requirements for registration with the ICO are mistaken – all of that went when the Directive and DPA98 were repealed in May 2018.

The requirement to register with the ICO and pay a registration fee is in fact provided for in The Data Protection (Charges and Information) Regulations 2018.  These bear many similarities to the previous DPA98 regime so people can be forgiven for any confusion.

Essentially, this regulation requires data controllers to register with the ICO and contain many of the exemptions that were prevalent in the old regime.  For example, if a data controller is only undertaking processing for the purposes administration of employees, volunteers or contractors; the purposes of advertising, marketing and public relations of its own activity, goods or services; and the purposes of keeping accounts of transactions, making financial or forecasts or evaluating suppliers and customers (other than credit checking) they are exempt from notification.  Please ensure you check your own use case as the Outsourced DPO has simplified these exemptions.

The questions that have recently arisen are:

  1. Do we need to register as a data processor? Answer is “no” but you do as a data controller unless you are exempt.
  2. We are a group of companies, can we do a group registration? Answer is “no” – each data controller must register unless they are exempt.
  3. We are a small company employing under 250 people. Do we need to register?  Answer is “yes” unless you are exempt.
  4. We undertake the three exempt processing activities listed above in addition to having dash cams in our vans. Are we exempt?  Answer is “no”, operating dash cams is not a form of processing included in the exemptions.
  5. We have a shell company that is a data controller but only processes personal data for employment purposes are we exempt? Answer is “yes”, but please ensure that the processing activities really are that limited and remain so.

So, hopefully that clears up the questions but please don’t hesitate to contact our support desk if you have any questions.

Contact Us

Send us a Message

    We would like to use your contact information to send you marketing and promotional materials and special offers by email from time to time. We may only send information to you in this way with your consent. Please indicate whether you consent to us contacting you in this way for those purposes. You may withdraw your consent at any time by clicking the unsubscribe link in our emails.


    We are always happy to make contact with you by either phone, email or a face to face meeting at our office or yours. We work standard UK office hours – every week day 0830 to 1730.


    IMPORTANT INFORMATION

    We have been receiving complaints over the last few weeks from people who have received unsolicited direct marketing calls from a company called The Protection People.  We should like to point out that we are Data Protection People and have nothing to do with those calls.

    We have been advising those people who have contacted us that they should make a complaint to the Information Commissioner’s Office (ICO) using this link https://ico.org.uk/make-a-complaint/nuisance-calls-and-messages/spam-texts-and-nuisance-calls/.  It would be helpful to the ICO if you knew the number that called you, the date and time of the call and what the call seemed to be about.

    You might also want to register your phone number with the telephone preference service (TPS), a national suppression service which should cut down calls of this nature as it is not lawful to make unsolicited direct marketing calls to numbers registered on the TPS.  You can register your number here https://www.tpsonline.org.uk/register.

    We know that these kind of calls can be distressing and intrusive and you have our sympathy.  Please do not hesitate to contact us if you would like to discuss it with us otherwise we’d encourage you to report it to the ICO as notifying them of this kind of practice enables them to investigate and take enforcement action where necessary.  You can see the action that has been taken by the ICO here https://ico.org.uk/action-weve-taken/enforcement/.

    Data Protection People Limited – March 2021