To process personal data, you need to have a data protection licence. Why? Because without one, you will be breaking the law and could end up paying a fine.
On top of that, the Information Commission will have the pleasure of naming and shaming your company – something that can harm current and future business relations.
You get the licence by paying an annual fee. Once you have it, you can lawfully process data. But what is the data protection licence and how do you apply for it? Read on to find out and learn about the straightforward application process.
The Data Protection Act 2018
The Data Protection Act is the legislation in place to control how our personal data is used by organisations.
Under the Act, data protection principles must be followed by anyone responsible for using our personal data. This includes using our data:
- Fairly, lawfully and transparently
- Only for explicit purposes
You must also keep it current and protect it from unauthorised processing.
Our sensitive personal data – our race, religious beliefs, sexual orientation and so on, have more vital legal protection under the Act.
And we have rights under the Data Protection Act. For example, we must be told how our data is used and we have the right to have it deleted if we so wish.
An organisation must register for a license to process personal data.
What Is a Data Protection Licence?
To get a data protection licence, organisations must pay an annual data protection fee. The fee goes to the Information Commissioner’s Office (ICO). Paying the fee is essentially your licence to process data. Then you must follow certain data protection principles when processing data.
Proceeds of the fee go towards the work needed to enforce the General Data Protection Regulations (GDPR).
Who Needs a Data Protection Licence?
In the words of the ICO, “Every organisation or sole trader who processes personal information needs to pay a data protection fee to the ICO unless they are exempt.”
Suppose you collect personal data like employee details, client and supplier information or CCTV footage in automated form. In that case, (using a computer system), you need to pay the fee.
If you are processing personal information for one or more of the following reasons, you are exempt:
- Staff administration
- Advertising, marketing and public relations
- Accounts and records
- Not-for-profit purposes
- Personal, family or household affairs
- Maintaining a public register
- Judicial functions
- Processing personal information without an automated system such as a computer
If you are a member of the House of Lords, an elected representative or a prospective representative, you are also exempt.
Using the self-assessment tool, you can clear up any confusion on whether you have to pay.
Notifying the ICO
You must notify the ICO if you process personal data. This is a statutory requirement; you will break the law if you don’t.
You’ll be asked to explain how you will process the data and why it’s necessary for you to do so.
How Do I Get a Data Protection Licence?
The ICO has created a straightforward online form for organisations to complete. Before you start completing the form, make sure you have the following details to hand:
- Business address
- Number of employees
- Annual turnover
- Types of data you process
- Data Protection Officer details (name, email address, contact number)
What Is the Data Protection Licence Fee?
The size and annual turnover of your business determine the fee amount. Companies fall into three tiers:
Tier 1: Micro organisations – Fee £40
Micro organisations are those with a yearly maximum turnover of £632,000 and no more than 10 employees.
Tier 2: Small and medium organisations (SMEs) – Fee £60
SMEs are those organisations with a maximum annual turnover is £36 million and you have no more than 250 employees.
Tier 3: Large organisations – Fee £2,900.
This relates to any business that doesn’t fall into the first two tiers.
Charities and small occupational pension schemes must only pay £40, regardless of size or turnover.
Remember this is an annual data protection fee, so it must be renewed yearly.
How Do You Renew Your Data Protection Licence?
The ICO will send you a reminder six weeks before your renewal fee is due. You must retrieve your order and registration reference details to complete the renewal.
It’s a good idea to note the date your licence will expire to ensure that you never let it lapse. If you fail to renew it and continue to process data, you will fall foul of the law.
What Happens If the Fee Is Not Paid
Firstly, you will be on the wrong side of the law if you should pay, but choose not to. Fines for not paying range from £400 to £4000. The ICO has issued 126 fines to companies that did not pay.
But that’s not all. The ICO also ‘name and shame’ those who don’t pay.
On the contrary, they also publish the names of all companies that pay on the fee payers register. This is the list you would rather be on. You can direct your customers, clients and suppliers to this list. This shows that you know your legal obligations when processing their data.
Get Trained on All Things Data Protection
There is a lot to know regarding data protection and GDPR. But it’s worth putting in the time to get up to speed with everything. Getting fined or causing harm to your customers and employees for poor data practices isn’t worth it. Set some time aside to learn more with our GDPR Awareness Training.