Do I need to register with the ICO?

Data protection compliance for SMEs

A question we are often asked is ‘Do I need to register with the ICO?’

In today’s digital age, the processing of personal data has become an integral part of conducting business activities. Whether you’re a small or medium-sized enterprise (SME), it’s essential to understand your obligations under the Data Protection legislation affecting the UK. This includes the UK Data Protection Act (UK DPA), UK General Data Protection Regulation (UK GDPR), and even the EU GDPR if applicable.

SMEs need to understand how data protection works and why and how to register with the Information Commissioner’s Office (ICO). This is essential to ensure compliance with data protection laws.

Data Protection legislation defines personal data as “information that relates to an identified or an identifiable individual”. It’s important to note that this individual must be living. The data becomes “personal” if it relates to that person. Since May 2018, when the EU GDPR came into force, personal data has expanded to include various aspects. It now includes online identifiers (e.g., usernames, social media handles, and logins), IP addresses, and more. These elements are also covered under the UK GDPR.

Pseudonymised data refers to data where identifying information is removed or replaced, reducing the risk to individual privacy. However, it is still classified as personal data under data protection laws. SMEs must be aware that even when pseudonymising data, they must adhere to data protection regulations.

As an SME, you likely process personal data in various ways:

• Customer and Supplier Data: You may collect and process information such as names, email addresses, telephone numbers, postal addresses (including postcodes), and even banking details for invoicing purposes.
• Voice and Image Data: If you conduct conference calls or meetings, recording voices or images of participants can also involve personal data processing.
• Website Data: If your business has a website, you will collect visitors’ IP addresses and may deploy cookies for tracking and analytics.
• Employee Data: If you have employees, you’ll keep copies of their identity documents to verify their “right to work” in compliance with immigration laws.

How much does it cost to register with the ICO?

When your business engages in any of these data processing activities, you are required to register with the Information Commissioner’s Office. The ICO is the UK’s data protection regulator. The Data Protection (Charges and Information) Regulations 2018 mandate that every organisation or sole trader processing personal information pay a data protection fee to the ICO, unless they are exempt.

If you are determining the need to pay the fee, remember you must register with ICO to first ensure compliance. To determine if you need to pay the fee, you can take a short test available on the ICO’s website. For most SMEs, the annual data protection fee to the ICO is £40. This fee can be further reduced if you choose to pay by direct debit. Considering the potential consequences of non-compliance with data protection regulations, this fee is a small investment. It helps to safeguard your business and reputation.

Ensuring compliance with data protection laws is crucial for SMEs that process personal data in their day-to-day operations. When you proceed to register your company with the ICO and pay the applicable fee, it demonstrates your commitment to protecting individuals’ privacy and data security. This not only helps you avoid legal penalties but also builds trust with your customers and partners. Don’t underestimate the importance of data protection—take the necessary steps to stay up-to-date and compliant with the law.

Article by Sarah Taylor, our Data Protection & AI Director.