This article by Richard Stone, managing director of technical PR agency Stone Junction, addresses the important questions around data protection and why it is so important that your company is GDPR compliant.
You might think the phrase ‘harvesting data’ sounds a little bit X Files, but for most businesses compiling large amounts of customer or stakeholder data is far from an alien concept. And yet only 20% of organisations currently believe they are GDPR compliant.
Although the data privacy space is littered with misconceptions, one thing has always been made abundantly clear; if you want to process personal information you probably need a license from the Information Commissioners Office (ICO) — yep, even you.
We are asked by clients about this a lot, it’s up there with ‘do I need an NDA or CLA licence?’, so we thought a concise blog containing the simple answer would help all the people out there are who are Googling the same question; ‘do I need a data protection licence?’.
Who needs a data protection license?
Well, pretty much everyone collecting data. It would be quicker to tell you who doesn’t need a license. Hint: most MP’s and not-for-profits are exempt. Unfortunately, however, if you aren’t Ed Balls or Born Free you may have to fly the white flag and pay the ICO — sorry!
According to the GOV UK guidelines, the DPA (Data Protection Act) license is a requirement for all ‘organisations [whom] process personal data in an automated form’ and/or is a data controller for the purposes of the GDPR.
In may seem a little confusing, but the simple answer is if your business collects employee details, client information or CCTV footage for the purposes of cataloguing a living person, you need to inform the ICO. The same is true if you collect journalist details, prospect details for marketing or even just birthdates so you can send out cards.
Still unsure? The ICO have a handy self-assessment tool that will clear up any confusion.
Do I have to pay the ICO?
If you have already established that your business needs a license, then yes, you do have to pay. How much you pay, however, is all relative to the size of your company.
Tier 1 organisations must turnover a maximum of £632,000 or have no more than 10 employees. If this applies to you, then you only need to pay the ICO £40 — woohoo.
Tier 2 is up to £36 million in turnover or 250 employees. Despite the huge financial leap, the fee in this tier is only £60. Tier 3 is anyone who does not meet the criteria for the first two tiers. The fee this time is £2,900.
The tiers are self-explanatory but the ICO has a tool for this as well.
How long does the license last for?
Your DPA license must be renewed on an annual basis — much like a Netflix or Disney+ subscription. To do this, you will need your unique registration details and a bank card — again, just like Netflix and Disney+. You don’t get Falcon and The Winter Soldier or WandaVision included this time though.
Failure to renew is a criminal offence and you could be faced with an unlimited fine if you allow more than once year to elapse. But don’t fret, the ICO will write to you before the expiration date with details about how to reregister.
Once paid you can sit back and relax knowing you are DPA compliant for another year.