Data Protection Licence – What It Is and How to Apply

The Data Protection Act is the legislation in place to control how our personal data is used by organisations.

Under the Act, data protection principles must be followed by anyone responsible for using our personal data. This includes using our data:

• Fairly, lawfully and transparently
• Only for explicit purposes

You must also keep it current and protect it from unauthorised processing.

Our sensitive personal data – our race, religious beliefs, sexual orientation and so on, have more vital legal protection under the Act.

And we have rights under the Data Protection Act. For example, we must be told how our data is used and we have the right to have it deleted if we so wish.

An organisation must register for a license to process personal data.

To get a data protection licence, organisations must pay an annual data protection fee. The fee goes to the Information Commissioner’s Office (ICO). Paying the fee is essentially your licence to process data. Then you must follow certain data protection principles when processing data.

Proceeds of the fee go towards the work needed to enforce the General Data Protection Regulations (GDPR).

In the words of the ICO, “Every organisation or sole trader who processes personal information needs to pay a data protection fee to the ICO unless they are exempt.”

Suppose you collect personal data like employee details, client and supplier information or CCTV footage in automated form. In that case, (using a computer system), you need to pay the fee.

If you are processing personal information for one or more of the following reasons, you are exempt:

• Staff administration
• Advertising, marketing and public relations
• Accounts and records
• Not-for-profit purposes
• Personal, family or household affairs
• Maintaining a public register
• Judicial functions
• Processing personal information without an automated system such as a computer

If you are a member of the House of Lords, an elected representative or a prospective representative, you are also exempt.

Using the self-assessment tool, you can clear up any confusion on whether you have to pay.

You must notify the ICO if you process personal data. This is a statutory requirement; you will break the law if you don’t.

You’ll be asked to explain how you will process the data and why it’s necessary for you to do so.

The ICO has created a straightforward online form for organisations to complete. Before you start completing the form, make sure you have the following details to hand:

• Business address
• Number of employees
• Annual turnover
• Types of data you process
• Data Protection Officer details (name, email address, contact number)

The size and annual turnover of your business determine the fee amount. Companies fall into three tiers:

Tier 1: Micro organisations – Fee £40

Micro organisations are those with a yearly maximum turnover of  £632,000 and no more than 10 employees.

Tier 2: Small and medium organisations (SMEs) – Fee £60

SMEs are those organisations with a maximum annual turnover is £36 million and you have no more than 250 employees.

Tier 3: Large organisations – Fee £2,900.

This relates to any business that doesn’t fall into the first two tiers.

Charities and small occupational pension schemes must only pay £40, regardless of size or turnover.

Remember this is an annual data protection fee, so it must be renewed yearly.

The ICO will send you a reminder six weeks before your renewal fee is due. You must retrieve your order and registration reference details to complete the renewal.

It’s a good idea to note the date your licence will expire to ensure that you never let it lapse. If you fail to renew it and continue to process data, you will fall foul of the law.

Firstly, you will be on the wrong side of the law if you should pay, but choose not to. Fines for not paying range from £400 to £4000. The ICO has issued 126 fines to companies that did not pay.

But that’s not all. The ICO also ‘name and shame’ those who don’t pay.

On the contrary, they also publish the names of all companies that pay on the fee payers register. This is the list you would rather be on. You can direct your customers, clients and suppliers to this list. This shows that you know your legal obligations when processing their data.

There is a lot to know regarding data protection and GDPR. But it’s worth putting in the time to get up to speed with everything. Getting fined or causing harm to your customers and employees for poor data practices isn’t worth it. Set some time aside to learn more with our GDPR Awareness Training.