Over the next few weeks we will be going back to data privacy basics in our eight part “Europe under Review” blog series. We will be comparing current data privacy laws and best practice in the UK with the proposed new state of play under the draft Data Protection Regulation. We kick off our first blog in the series with the topic of registration.
In the UK, there is a general obligation on data controllers to register details about their processing of personal information with the Information Commissioner’s Office (ICO). This is also known as “notification” and is a public register. Failure to register with the ICO, or processing personal data outside the scope of a registration, is a criminal offence. Certain organisations are exempt. For example, not-for-profit organisations and organisations that only process personal data for staff administration, for their own advertising, marketing and public relations and running their accounts don’t have to register. The registration process with the ICO has recently changed with a new simpler format. The new format consists of template “nature of work” descriptions, which can be chosen by an organisation when doing their filing.
The rules in other EU member states vary significantly. So registrations are generally required in France and Spain but not in Germany provided a data protection officer has been appointed.
Keep your registration with the ICO under review and make any necessary amendments as soon as possible. An organisation that has a presence in various EU member states should ensure that it has in place all local data protection registrations where required. Best practice is to ensure that someone within the organisation takes ownership of managing the local registrations. This is usually best handled centrally.
Position under draft Data Protection Regulation
Under the draft Regulation there will be no requirement to register or notify with a data protection supervisory authority anywhere in the EU. Instead, organisations will be required to maintain certain documentation internally (this will be discussed in more detail under the “Privacy Governance” blog piece later in this series).
Clearly, removing the requirement to register is good news for organisations. Let’s admit it: registration serves little purpose in practice! So does this also reduce the administrative burden? Not really! Given the other proposed changes, the overall effect is to “internalise” the bureaucracy in that organisations will in future need to maintain new detailed documentation and records of all their processing ready for regulatory inspection. So the overhead is likely to go up in net terms. This is also bad news for data protection supervisory authorities (such as the ICO), as they will lose a major revenue stream (the registration fees). As a consequence, data protection authorities may be further stretched in resource, unless funding is made available from elsewhere.
Keep an eye out next week for Part 2 of “Europe under Review” on the topic of data collection…