Data Protection and Registering with the ICO

October 13, 2021

A brief introduction...

  • Data protection is about ensuring individual customers can trust your organisation to use their  information fairly and responsibly.
  • If you collect personal information about individuals for any other reason than your own personal use, you need to comply with UK law and legislation.
  • The Information Commissioner's Office (ICO) regulates data protection in the UK, offering advice and guidance while promoting good business practices, carrying out audits, considering complaints, and monitoring ongoing compliance.
  • GDPR dictates that you must appoint a Data Protection Officer (DPO) if you are a public authority or body, or if you carry out certain types of processing activities such as regular and systematic monitoring of individuals, or large-scale processing of sensitive data.
  • Outsourcing your Data Protection Officer Responsibilities can be a cost-effective method compared to internal hire, providing access to a wife team of GDPR and data protection professionals and technical experts rather than limiting your business to one individual.
  • The UK data protection regime is set out in the Data Protection Act 2018 (DPA) alongside with the UK General Data Protection Regulation (GDPR).

Data Protection

Data protection is the ‘fair and proper use of information about people’ and forms the fundamental right to a user’s privacy - from a business perspective, it’s about building trust between your organisation (i.e., The Controller) and your customers (i.e., the data subject) by treating everyone fairly, openly, and recognising their right to have control over their own identity and their interactions with others.

What is a ‘controller’?

A controller is usually an organisation, or a sole trader that collects, processes, and handles data. As the controller, they are responsible for ensuring that the processing of said data complies with UK laws and regulations.

What is a ‘data subject’?

A data subject is the technical term for the individual the personal identifiable information is regarding.

Data protection is not just a legal necessity, but crucial to protecting and maintaining your business. Regardless of how your organisation stores or handles data, any identifiable information regarding an individual needs to be protected. Simply put, information and personal data information in the UK is protected by law such as the Data Protection Act 2018 (DPA) and the General Data Protection Regulation (GDPR).

GDPR vs DPA

In short, the DPA 2018 (Data Protection Act) was introduced in 1995 as a UK equivalent to the EU's 1995 Data Protection Directive – the General Data Protection Regulation (GDPR) came into effect in 2018, designed as a direct replacement for the Data Protection Act.

Data Protection Act 2018

The DPA 2018 sets out the framework for data protection law in the UK, updating and replacing the Data Protection Act from 1998 and was amended on the 1st January 2021 to reflect the UK’s status outside the EU.


The DPA sits alongside and supplements UK GDPR - for example by providing exemptions. It also sets out separate data protection rules for law enforcement authorities, extends data protection to some other areas such as national security and defence, while setting out the Information Commissioner’s functions and powers.

What data needs to be protected?

Key pieces of information that are commonly stored by your business, be that employee records, customer details, loyalty schemes, transactions, or data collection, need to be protected. This is to prevent that data from being misused by third parties for fraud through social engineering attacks (i.e., phishing scams and identity theft).


Common data that your business might store or process, may include:

  • Names
  • Addresses
  • Emails
  • Telephone numbers
  • Bank and credit card details
  • Health information


This data contains sensitive information that could relate to your: current staff and their partners or next of kin; shareholders, business partners and clients; customers and other members of the public. Protecting all this information, in accordance with the Data Protection Act, requires businesses to adhere to specific principles.

Principles

The Data Protection Act contains a set of principles that organisations, government, and businesses must adhere to, so data remains accurate, safe, secure, and lawful.


These principles ensure data is:

  • Only used in specifically stated ways
  • Used only in relevant ways
  • Kept safe and secure
  • Not stored for longer than necessary
  • Used only within the confines of the law
  • Stored following people’s data protection rights
  • Not transferred out of the European Economic Area


There are stronger legal protections for more sensitive information, such as:

  • Race
  • Ethnic background
  • Political opinions
  • Religious beliefs
  • Trade union membership
  • Genetics
  • Biometrics (when used for identification)
  • Health
  • Sex life or orientation

GDPR

The introduction of the GDPR represents the most significant shift in data security standards for several decades and although many of the underlying principles remain the same as the DPA, the fact remains that GDPR's scope is far more comprehensive and wide-reaching, meaning businesses will need to amend their data protection policies accordingly - or potentially face serious consequences.
GDPR is a UK law which came into effect on the 25th of May 2018. It sets out the key principles, rights, and obligations for most processing of personal data in the UK, except for law enforcement and intelligence agencies.


It is based on the EU GDPR (General Data Protection Regulation (EU) 2016/679) which applied in the UK before that date, with some changes to make it contextually work more effectively in the UK.
You may need to comply with both the UK GDPR and the EU GDPR if you operate in Europe, offer goods or services to individuals in Europe, or monitor the behaviour of individuals in Europe. The EU GDPR is regulated separately by European supervisory authorities, and you may need to seek your own legal advice on your EU obligations.


If you hold any overseas data collected before 01 January 2021 (referred to as ‘legacy data’), this will be subject to the EU GDPR as it stood on 31 December 2020 (known as ‘frozen GDPR’).

Data Protection Officer (DPO)

GDPR dictates that you must appoint a DPO if you are a public authority or body, or if you carry out certain types of processing activities such as regular and systematic monitoring of individuals, or large-scale processing of sensitive data.


Although other businesses are not legally required to have a DPO, the ICO recommends every business appoints a DPO to comply with GDPR and avoid fines.

Benefits of outsourcing DPO responsibilities

  • Provides independent advice - Obtain the insight and impartial advice needed to set your organisation’s cyber security goals and budget.
  • Measures security effectiveness - Better understand the effectiveness of existing security controls and procedures and receive help communicating risks to key stakeholders.
  • Informs strategic improvements - Gain the insight you need to identify and implement the security improvements that will be of greatest benefit to your organisation.
  • Supports regulatory compliance - Better understand the latest data and information security standards, how they apply to your business, and the controls needed to comply with them.

Can I outsource my DPO responsibilities?

Outsourcing a data protection officer is more cost-effective than an internal hire, particularly as you only pay for the time you require, (save on overheads, holiday cover etc). You also benefit from access to a wide team of certified GDPR practitioners, data protection professionals and technical experts rather than limiting your business to the experience of one individual.


If you would like to know more about a Virtual Data Protection Officer, you can learn more here or get in touch with one of our cyber experts today and we’ll be happy to assist you.

Registering with the ICO

The ICO (the Information Commissioner's Office) is an independent body dedicated to upholding information rights in the public interest and data privacy for individuals in the UK. The ICO enforce the provisions of the Data Protection Act and the GDPR as well as other important pieces of legislation such as the Freedom of Information Act and the Privacy and Electronic Communications Regulations.


One of the main aims of the ICO is to ensure that organisations comply with data protection laws. This entails making sure they process personal information in a fair and transparent manner that respects rights of the data subject. The ICO has a duty to investigate complaints from members of the public and can impose hefty fines on businesses that are seen to be flouting data protection rules.

Do I need ICO registration?

As part of the Data Protection Act, any entity that processes personal information will need to register with the ICO and pay a data protection fee unless they are exempt. This is the case for every type of company from sole traders and SMEs through to multinational corporations.


However, you are not required to register with the ICO and pay a fee if you are only processing personal data for staff administration, accounts and records, not-for-profit reasons, personal or family affairs, and advertising, marketing and public relations purposes. Though unlikely, you are also exempt if you only keep paper records and do not use an automated system such as a computer to process personal information.
Even if you fall into one of these categories but your business uses CCTV for crime prevention purposes, you will still need to register and pay the fee.


You can use the ICO self-assessment form to determine if you are exempt or not.

What is the data protection fee?

If you aren’t exempt, you’re required to pay a yearly fee that’s set by Parliament. The fee depends on the size of your business - most notably, how many staff you employ and your annual turnover.


There are three payment tiers ranging from £40 to £2900 - most businesses will pay either £40 or £60 per year. It may be best to opt for a direct-debit payment method, ensuring your organisation does not forget to renew the following year.


The three payment tiers and the associated annual costs are:


Tier 1 - micro-organisations - If you have a maximum turnover of £632,000 for your financial year or no more than 10 employees, the fee is £40.


Tier 2 - small and medium organisations - If you have a maximum turnover of £36 million for your financial year or no more than 250 employees, the fee is £60.


Tier 3 - large organisations - If you exceed the figures stated in tiers 1 and 2, you will be in tier 3 and the fee is £2,900.


However, one exemption is that charities and small occupational pension schemes pay £40 regardless of their turnover or staff numbers.

Registering with the ICO

You can pay your data protection fee online via the ICO website. If it’s the first time you’re submitting a payment, you’ll need to fill out a form. This can take around 15 minutes. You’ll need your company registration number (if you have one), the number of employees you have, your contact details, and your bank or card details.

ICO registration check

Businesses that don’t adhere to data protection rules and fail to pay their yearly fee can be fined up to £4,350 by the ICO, so, it is always the best practices for your organisation to pay the smaller yearly fee.


On top of this, the ICO publishes a list of all fee-paying companies. So, if your business isn’t on that list, it becomes obvious to your customers and suppliers quite quickly.


Paying the fee and getting yourself on the list not only helps you avoid financial penalties, but it’s also seen as a sign that you’re aware of your data protection obligations.

Follow Us

Be the first to know

You might also like

DAST in DevOps: Why It Matters

October 14, 2024
DevOps is a popular practice, especially among large organizations. However, while it comes with numerous benefits, it presents numerous risks as well. One notable challenge is the increased velocity of deployment, which often complicates how developers implement and ensure application security throughout the development and deployment process. DevOps is a popular practice, especially among large organizations. However, while it comes with numerous benefits, it presents numerous risks as well. One notable challenge is the increased velocity of deployment, which often complicates how developers implement and ensure application security throughout the development and deployment process. According to a recent survey, almost 80% of CIOs expressed concerns about the difficulty of discerning trusted elements from untrusted ones within DevOps environments. In particular, the pressure to deliver services at a faster pace sometimes prompts DevOps teams to take security shortcuts, resulting in potentially costly repercussions. These include data breaches, application downtime, and compliance violations.  So, how can you strike a balance between the demand for agile DevOps practices and the need to maintain robust security measures?

Why DAST Testing is Important

October 4, 2024
Testing applications for security flaws during production is a vital process of the development lifecycle, and this is where Dynamic Application Security Testing (DAST) comes in. DAST is a security testing approach in application security (AppSec), in which testers assess an application in real-time, while it’s actively running. This process can be conducted even without testers knowing the application’s internal interactions or system-level designs. Applications fuel the engine of the world’s economy, but enterprises can encounter substantial hurdles when striving to retain a competitive advantage in a rapidly changing digital landscape. Businesses must continuously pursue inventive solutions, even as they contend with sophisticated adversaries looking to exploit opportunities to disrupt operations, compromise vital information, and inflict harm. According to recent research, approximately 17% of cyberattacks aim to exploit vulnerable web applications. Yet, 98% of web applications are susceptible to attacks that can lead to malware infection or redirect users to malicious websites. All the while, 72% of these vulnerabilities result from coding errors. Testing applications for security flaws during production is a vital process of the development lifecycle, and this is where Dynamic Application Security Testing (DAST) comes in. DAST is a security testing approach in application security (AppSec), in which testers assess an application in real-time, while it’s actively running. This process can be conducted even without testers knowing the application’s internal interactions or system-level designs.  This is because DAST tools operate without access to the application’s source code. Instead, they emulate genuine attacks, akin to those carried out by real hackers, to identify security weaknesses. This “black box” testing method examines the application from an external perspective, scrutinises its runtime behaviour, and observes how it reacts to simulated attacks. These simulations help evaluate whether the application exhibits vulnerabilities and if it is potentially susceptible to malicious attacks.

The Evolution of Hacking

September 25, 2024
In this blog post we look back at the origin of the term “hacking”, as well as how activities that might be described as hacking have existed throughout history, even prior to the advent of computer systems – and what if anything these can teach us today. Hacking is attacking and breaking into computer systems illegally… isn’t it? The meaning of the term “hacking” has in fact changed substantially over time, morphing from describing essentially benign (or at worst mildly disruptive) activities into its modern attribution to largely criminal and illegal activities. What’s more, in its original usage, “hacking” doesn’t necessarily even need to involve computer systems at all.  In this blog post we look back at the origin of the term “hacking”, as well as how activities that might be described as hacking have existed throughout history, even prior to the advent of computer systems – and what if anything these can teach us today.
More Posts
Share by: