The Information Commissioners Office (ICO), which upholds information rights in the UK, seems to have taken a more aggressive stance on companies that it deems to be operating as “data controllers” but who haven’t registered as such under the Data Protection Act. The Accountancy sector has been hit hard recently with a number of practices suffering fines of more than £1,000 for breaching the act – but it could easily your business that gets targeted.
According to the ICO a data controller means a person or an organisation who (either alone, or jointly, or in common with others) decides how and why any personal information is to be processed. This is distinct from a data processor, who only processes personal data under instruction from the controller. So in small and medium sized businesses the data controller is very likely to be one of the directors.
There are exemptions from notification that relate to the nature of the organisation (not for profits are exempt) or where the only personal information being referenced is for staff administration purposes such as payroll. Looking at the exemption list, however, it becomes quickly apparent that registration is more likely to be the normal requirement.
In the first instance it is probably prudent to register anyway and then start checking your Data Protection Act obligations a little more thoroughly.
If you have any queries about how the management of financial and payroll data is impacted by the Data Protection Act then give Lewis Smith & Co. a call on 01384 235549 to arrange a free consultation. It is an area we have a lot of experience in.
Lewis Smith & Co. – Tax planning and compliance for Wednesbury businesses
