Under the Data Protection Act, your organisation should have told the Information Commissioner’s Office (ICO) what information you process (using one of their online templates) and paid them an annual fee.
As a result of the new European Data Protection Regulation, this will soon no longer be a requirement. However, you will still have to put together and maintain an internal register of all information that you process. This should be made available to the ICO if requested.
One important point is that unlike the requirement to notify the ICO, the obligation to keep a register applies to both the controller and the companies appointed to process the information. They must both keep their own separate registers.
Do all organisations need to keep a register?
The simple answer is No. The organisations that need to keep a register are those that fall into the following categories:
- Organisations with 250 or more employees.
- Organisations which process information that is “likely to result in a risk for the rights and freedoms” of the individual.
- The processing is not “occasional”.
- Organisations which process one of the “special categories of personal data” or criminal convictions or offences.
This is quite vague and could potentially cover all organisations who deal with personal information regularly. There will be […]