From May 25 2018 a new requirement was placed on data controllers in the UK to pay a fee (unless they could claim an exemption) to the Information Commissioner’s Office (ICO). The ICO keeps, and publishes, a register of fee payers, and a new blog post by Paul Arnold, their Deputy Chief Executive, suggests that being on that register sends a “strong message” to customers, and “lets them know that you value and care about their information and that you’re more likely to keep it secure and not share it inappropriately”. But does it? Or are there more effective ways to show that you are accountable to your customers?
Prior to May last year, it was a requirement under European law for a data controller (again, unless it could claim an exemption) to make a notification to the relevant supervisory authority (the ICO is the supervisory authority for the UK) before processing personal data. In the UK, it was a criminal offence under section 21 of the now-repealed Data Protection Act 1998, to process personal data if the controller was obliged to make a notification but failed to do so. When the General Data Protection Regulation (GDPR) came into direct effect, however (also from 25 May 2018), it removed the European law obligation for notification. In the UK notification fees had funded the ICO’s data protection work for years, and abolition of notification would seriously reduce the ICO budget. Accordingly, domestic fee legislation was enacted, to make up the shortfall (backed up by a civil, rather than criminal, enforcement scheme). There was no suggestion during the legislative process that The Data Protection (Charges and Information) Regulations 2018 were intended by Parliament to create a register of controllers which “value and care about” customers’ personal data; as the Explanatory Memorandum to the Regulations says, they merely “make provision to ensure that the [Information Commissioner] has the financial resources necessary for the performance of her tasks and exercise of her powers as required by the GDPR”.
There are, under GDPR, plenty of provisions which create “accountability” and “transparency” obligations on controllers. These include the requirement to provide information directly to data subjects (under Articles 13 and 14), and the requirement to keep a record of processing activities and make it available to a supervisory authority, should the latter request it (Article28). Compliance with these provisions is one way that controllers can send a message to data subjects that their personal data is valued and cared about. Being on a register of fee payers says nothing more than that the controller has paid a fee, in the same way that appearance alone of a company on the register maintained by Companies House says little or nothing about that company’s compliance with the law.
We think an effective way to show customers that you comply with GDPR, and value and care about their personal data, is by being as transparent and fair as possible – tell people, through a well-drafted privacy notice, who you are, what you’re doing, why (and what the legal basis is), how long their data will be retained, who will have access to it, what their rights are, and keep all of this regularly reviewed and updated as appropriate.
Certainly, controllers should pay the statutory fee to the ICO, but that doesn’t necessarily demonstrate compliance.