Should My Business Register With The ICO?
Key Contact: Declan Goodwin
Author: John Tay & Rachel McCulloch
Every sole trader, business or organisation that processes personal data must register with the Information Commissioner’s Office (“ICO“). Failing to register may lead to the imposition of a fine. The ICO keeps a public list of organisations that have received a penalty notice for not paying the fee. It is therefore essential you can correctly identify whether your business needs to register.
What businesses are exempted from registering with the ICO?
There are a number of exemptions which only apply in very specific circumstances. If your business can rely on an exemption, it will not need to register with the ICO. Your business would be exempt if it is processing personal data purely for one (or more) of the following purposes:
- staff administration (including to run your organisation’s payroll);
- advertising, marketing and public relations in connection with your own business;
- accounts and records (such as invoices or payments);
- personal, family or household affairs;
- performing judicial functions;
- performing elected representative functions;
- maintaining a public register; and
- processing personal information without an automated system such as a computer.
Many businesses however process personal data for other purposes (or in addition to) those listed above which suggests that they may not be able to rely on an exemption from registration.
For example, if a business records and updates its staff’s personal data for the purposes of staff administration and managing its own accounts, then it may be exempt from registering with the ICO. However, if this same business also collects personal data from job applicants for recruitment purposes, it will no longer be able to rely on an exemption from registration.
Similarly, if a business collects personal data from its customers for advertising and marketing its own goods or services, then it may be exempt from registering with the ICO. However if this same business also uses customer personal data to deliver goods or perform a service for its customers, it will not be able to rely on an exemption from registration.
- An online retail business will need to collect and use a customer’s name and address to deliver ordered goods.
- A healthcare professional will need to record and analyse medical data of their patients in order to provide appropriate advice and support to them.
How we can help!
We are now offering a complementary service to determine whether your business or organisation is required to register with the ICO. This service can be found here.
If your business or organisation is required to register with the ICO, you can find out more about our ICO Registration service here.
For further information or advice, please reach out to [email protected]