The Information Commissioner’s Office is the UK’s data protection regulator. Essentially the ICO’s responsibility is to ensure that businesses in the UK are compliant with strict data protection rules. They investigate organisations that go against these principles and impose penalties where appropriate.
What is Data Protection?
Almost every service we use involves the collection and analysis of our personal data – from social media companies, to banks, retailers and governments. The General Data Protection Regulation (GDPR) was implemented by the European Union (EU) in 2018 and is designed to give EU citizens more control over their personal data. GDPR applies to any organisation operating within the EU, as well as any organisations outside of the EU, which offer goods or services to customers or businesses in the EU to ensure personal data doesn’t fall into the wrong hands and isn’t misused.
What is considered to be personal data?
Personal data includes information which will “identify” an individual. This includes names, national insurance numbers, addresses and even online identifiers (e.g. IP addresses).
What is the Data Protection Act 2018?
GDPR was adopted into UK law through the Data Protection Act 2018. It controls how personal information is used by organisations, businesses or the government. Everyone responsible for using personal data has to follow strict rules called ‘data protection principles.’ They are as follows:
- Fairness and transparency.
- Collected for specified and legitimate purposes.
- Relevant and limited to what is necessary.
- Accurate and, where necessary, kept up to date.
- Personal data must not be kept for longer than you need it.
- Responsibility for what you do with the data.
How does this affect your business?
Your business may process a lot of personal data. For example:
- Names, shipping addresses and other information that might be used to directly identify individuals.
- Payment card details and sometimes sensitive or revealing information that must be processed securely.
- Technical information like IP addresses and cookies that might be used to indirectly identify individuals.
If you use of the above then you will need to review all of your methods of collection, processing and storage of personal data and potentially implement changes to keep your business compliant.
Here are some next steps you should take
Deactivate any default opt-ins, (i.e. make sure below subscription is unselected): The idea is your customer consents and manually chooses to agree to any terms and conditions and opt-ins to any email subscriptions etc.
Review the personal data you currently store (you probably have a lot in your inbox!) Data erasure is a large part of the GDPR; you should go over your organisation’s email policy with perhaps a goal of deleting emails after a certain period of time.
Do I need to pay the data protection fee?
Any organisation (including limited companies and sole traders) which processes personal data is required to register with the ICO and pay the data protection fee, unless you’re exempt. The ICO provides an online self-assessment tool to help businesses and individuals check whether or not they need to register and pay the fee.
If you do not need to pay the fee, click here to notify the ICO.
Organisations which have previously registered will receive a reminder annually to pay the data protection fee.
How much does it cost?
The cost of your data protection fee depends on your size and revenue. There are three tiers of fees ranging from £40 and £2,900, but for most organisations it will be £40 or £60 a year.
Be aware of scams
The ICO is warning companies to be aware of scams relating to payment of the data protection fee. If you’ve received a letter, text message, email or telephone call from them and want to check that it’s genuine, please search ‘ICO fee’ using your usual search engine. Follow the top results to website links which begin with https://ico.org.uk, and this will bring you to the official website.