← Back to the front page

Is Your Business Committing A Data Protection Crime?

Curran Dye on the data protection

If you’re running an online or e-commerce business, chances are you’re holding customers’ personal details on file.

Keeping these details secure is one thing, but what many small businesses fail to realise is that if they haven’t registered with the ICO (Information Commissioner’s Office) under the Data Protection Act 1998, they could be committing a data protection crime! The process of registering is very simple and could save you from ending up in prison, which is a pretty good reason to sign up as far as I’m concerned!

So what's this all about?

It’s essential for most organisations that handle personal information to register (we’ll go into the criteria later on), and each company must appoint a ‘data controller’ within their organisation. The information that you provide to the register broadly covers how your company handles information, and what processes are in place to ensure that the data is secure. If there are any data protection complaints or if any regulatory action is taken against your company, the information you provided to the ICO will be cross-checked, so it is important to provide as much detail as possible.

Do I need to register?

If you’re collecting simple information such as names, email addresses and phone numbers you probably won’t need to register as these are considered to be ‘accounts and records’, which are exempt from registering.

However, if you are collecting any information that is considered ‘personal data’ under the Data Protection Act, then you will need to register with the ICO. Personal data is anything which allows you to identify a person from that information, or other information likely to be in the possession of the website owner.

The key difference is that account information is something which most businesses will collect to identify the client internally, whereas payment details, financial records, CCTV images etc. are seen as more personal and sensitive, and therefore require registration.

A couple of examples

The majority of information provided by the ICO focuses on exemptions to registration, but there’s not a great deal of information on which businesses would typically need to register, so here are a few examples that will hopefully make things easier to understand.

E-commerce store
An online shop that sells laptops and takes payment using their own payment processing system would need to register with the ICO, because they are storing client bank details.

If the same online shop selling laptops used a third party payment processor such as Stripe instead, they themselves would likely not have to register with the ICO. This is because Stripe would be the one handling the client bank details. Of course, Stripe would then need to be registered with the ICO.

Email marketing provider
A good example of a company that would need to notify with the ICO under the Data Protection Act, is one that sells email lists or direct mailing lists. Because they are not using these details for their own marketing, but selling them to others, the ICO would want to know how securely they store and distribute the data.

Interestingly, a marketing agency, using their clients’ data to market to, wouldn’t have to register because the data controller at the client company would be responsible for distributing the data in compliance with the ICO principles.

The exemptions

There are a few exemptions to having to join the register. They are somewhat vague, so if you think an exemption may apply to your business, you would be best placed seeking advice from an expert data protection lawyer or giving the ICO helpline a ring on 0303 123 1113.

According to the ICO website, the exemptions are organisations that process personal data for:

  • staff administration (including payroll)
  • advertising, marketing and public relations (in connection with their own business activity)
  • accounts and records (as outlined above)
  • some not-for-profit organisations
  • organisations that process personal data only for maintaining a public register
  • organisations that do not process personal information on computer

There are some helpful posts, like this one that might help you work out whether you need to register or not, and the ICO has it’s own self-assessment tool which you can find here.

It is also possible to join the register voluntarily. Registering voluntarily means signing up to the register, despite knowing that it’s not necessary for your business. The benefit of this is that if a data protection complaint was made against you, the ICO would already have details of how you store your data, which might help mitigate the complaint.

How to apply. It's quick and easy!

Until recently it was only possible to register via post, however it is now much easier, because you can register online at ICO Registration. Registration costs £35 per year for organisations that have a turnover of less than £25.9 million and 249 or fewer staff. If your business exceeds either of these, the fee increases to £500 per year.

For further information, FAQs or to search the register, head to ICO.org.

For help finding a data protection lawyer come to Lexoo. Our service is free and our lawyers are ready to help your business today!

Editor’s Note: This post was originally published in September 2014 and has been updated for freshness, accuracy, and comprehensiveness.