Under the Data Protection Act, your organisation should have told the Information Commissioner’s Office (ICO) what information you process (using one of their online templates) and paid them an annual fee.

As a result of the new European Data Protection Regulation, this will soon no longer be a requirement. However, you will still have to put together and maintain an internal register of all information that you process. This should be made available to the ICO if requested.

One important point is that unlike the requirement to notify the ICO, the obligation to keep a register applies to both the controller and the companies appointed to process the information. They must both keep their own separate registers.

 

Do all organisations need to keep a register? 

The simple answer is No. The organisations that need to keep a register are those that fall into the following categories:

  • Organisations with 250 or more employees.
  • Organisations which process information that is “likely to result in a risk for the rights and freedoms” of the individual.
  • The processing is not “occasional”.
  • Organisations which process one of the “special categories of personal data” or criminal convictions or offences.

This is quite vague and could potentially cover all organisations who deal with personal information regularly. There will be further guidance on this, but most organisations should already be able to comply with the requirements through their existing ICO registration and record management systems.

 

What information needs to be in the register?

Under the DPA, the ICO issued standard templates for different categories of organisation. At this stage, it is not clear whether the ICO will do this again or whether it is expected that companies create their own registers, but the GDPR does give specific guidelines on what should be included.

Register of Information – Data Controller:

  • Name and contact details of the controller companies.
  • The Data Protection Officer and controller’s representative.
  • Purpose of the processing.
  • Description of the categories of data subjects and personal data.
  • Categories of recipients to whom the personal data has or will be disclosed including recipients in countries outside the EEA.
  • Information about transfers to countries outside of the EEA.
  • When different categories of personal data will be erased.
  • A general description of the security measurements in place to protect the personal data.

Register of Information – Data Processor:

  • Name and contact details of the processor(s) and each controller that they work for.
  • The representative (either from the controller or processor) and the Data Protection Officer.
  • The categories of processing carried out on behalf of each controller.
  • Information about transfers to countries outside of the European Economic Authority.
  • A general description of the security measurements in place to protect the personal data.

 

Co-operating with the Authorities

The records should be made available if requested by the ICO or the European Authority data protection authority and co-operation is required if they ask for further assistance.

Special categories of Personal Data

The GDPR refers to “Special categories of personal data” this is what the Data Protection Act called “sensitive personal data”. This will now cover: racial or ethnic origin, political opinions, religious or philosophical beliefs, trade-union membership and the processing of genetic data, biometric data in order to uniquely identify a person or data concerning health or sex life and sexual orientation shall be prohibited.

This is not legal advice, just general guidelines, so to find out more, contact Tracey Wakelam at Probert Legal at TraceyWakelam@ProbertLegal.com