The Information Commissioner’s Office (ICO) have recently written to businesses throughout the UK regarding their requirements and obligations under the General Data Protection Regulations (GDPR). Although this may have looked or seemed like a scam it was a genuine letter with which you need to take some form of action.
Who are the ICO?
The ICO is the UK’s independent authority which was set up to uphold information rights in the public interest. This means that they cover various legislation from the Data Protection Act to the Freedom of Information Act and ensure data and information is processed responsibly. Their aim is to increase the confidence that the UK public have in organisations that process personal data. If a company is found to be breaching rules then ICO have the power to enforce monetary penalties, notices and prosecutions.
Do you, as a PSC need to do anything?
The Data Protection (Charges and Information) Regulations 2018 requires every business that processes personal information to either register as an exempt business or register and pay a fee to the Information Commissioner’s Office (ICO). This is a legal requirement all UK businesses must meet, and the responsibility to comply lies with the director.
Assuming that you are only holding personal data for the purposes of staff administration (including payroll) and for the processing of accounts and records (i.e. invoices and payments), we believe that you would qualify as an exempt business. However it is always worth checking with ICO using their simple, 5 minute questionnaire.
What do you do if you’re exempt?
If you are exempt you will need to claim the exemption yourself, which can be done via the ICO website. After you’ve submitted your exemption claim, the ICO may follow up with a call if they require more information and they also recommend that you keep a record of your decision in case you are challenged on this in the future.
What do you do if you need to pay a fee?
If you feel that you don’t qualify as an exempt business then you will need to register and pay the fee. The cost of your data protection fee depends on your size and turnover. More details on this along with how you can register and pay can be found on the ICO website.
How often do I need to review my ICO status?
You are also required to review your status every 12 months and update the ICO accordingly.
