ICO Registration and Fees

Currently, many organisations pay a fee to the Information Commissioner’s Office (ICO) as a Data Controller. These registrations (or notifications) would have been removed by the application of the GDPR into UK law. However, a new registration and fee scheme for Data Controllers will come in from 25 May 2018, the same day the General Data Protection Regulation is introduced across the EU.

There was mention of a move by the ICO to levy new fees for Data Controllers last year on its blog and Twitter. These have now found their way into draft regulations presented to Parliament. Originally it was thought that fines would support the funding of the ICO, but to ensure the continued funding of the ICO, the Government has announced a new charging structure for Data Controllers. Until then, organisations are legally required to pay the current notification fee, unless they are exempt.

To help Data Controllers understand why there is a new funding model and what they will be required to pay, the ICO has produced a Guide to the Data Protection Fee which can be found at www.ico.org.uk . It should be noted that this is a draft at the moment, as the model has to be approved by Parliament before it is confirmed.

Key Changes and Information

If you have a current registration, you do not need to renew it on 25 May 2018, just when it runs out.

There are exemptions from the need to register – these are set out in the draft guidance, but may change in Parliament. There are some activities which trigger the need to register as well, though these have been widened from the current regime.

Charities and small occupational pension schemes just pay the Tier 1 fee.

Fee levels – these are between £40 and £2,900 based on number of staff and (for non-public bodies) turnover as well.

There is a default position of Tier 3, unless and until you can demonstrate to the ICO that you are a Tier 1 or 2 organisation.

Below is the revised Tier structure:

  • Tier 1 – micro organisations – cap of £632K turnover or 10 members of staff – £40
  • Tier 2 – small and medium organisations – cap of £36M turnover or 250 members of staff – £60
  • Tier 3 – if you exceed the caps in Tier 2, then the fee is £2,900.

For very small (micro) organisations, the fee will not be any higher than the £35 they currently pay, if they take advantage of a £5 reduction for paying by direct debit. The ICO explains that the fee is higher because these organisations are likely to hold and process the largest volumes of data, and therefore represent a greater risk.

There is a monetary penalty (fine) for not registering of £4,350 regardless of organisational size.

Key FAQs on the website include:

Do I have to pay a fee? If you are a Controller and the exemptions don’t apply to you, you will have to pay the fee.

If my registration expires on or after 25 May 2018, can I renew early and pay my current fee? No. You must pay the correct fee under the new fee structure.

When will I have to pay the new fee? The new regulations come into effect on 25 May 2018, when organisations must apply the GDPR. But this doesn’t mean that everyone has to pay us a fee on that day. Controllers with a current registration (or notification) under the 1998 Act will not have to pay any other fee until their notification has expired (12 months from the day they made it). Controllers that are not currently notified will be liable for the new fee on 25 May 2018, unless an exemption applies.

If I renew under the old arrangements, will I have to pay again on 25 May 2018? No. If you renewed or registered before 25 May 2018 under the 1998 Act, that registration will be valid for 12 months. You will not need to pay the new fee until your current registration expires.

What is the difference between notifying under the Data Protection Act 1998 and paying the data protection fee? Aside from the level of the fee, the main difference is that under the 1998 Act, Controllers had to give details of the types of processing they did. You will not need to provide this information from 25 May 2018.

How will I know my renewal is due? The ICO will email you before your previous payment expires and your new payment is due.

What happens if I don’t pay my fee? The ICO will send you a reminder explaining when you need to pay. If you don’t pay, or tell them why you are no longer required to pay a fee, they will issue a notice of intent 14 days after expiry. You will have 21 days to pay or make representations. If you do not pay, or fail to notify them that you no longer need to pay, you may be issued with a fine of up to £4,350 (150% of the top tier fee.)

Data Protection and SMEs

Many small firms are still not sure what GDPR means, but they need to start paying attention, as the new UK legislation in the form of the Data Protection Act 2018 will soon apply. The Federation of Small Businesses (FSB)  has found that that a third of small businesses have not started preparing for the introduction of the GDPR, while a further third are only in the early stages of preparations. Only 8% of small businesses have completed their preparations.

FSB National Chairman Mike Cherry explains: “The GDPR is the biggest shake-up in data protection to date, and many small businesses will be concerned that the changes will be too much to handle. It is clear that a large part of the small business community is still unaware of the steps that they need to take to comply and may be left playing catch-up.”

On average small firms will spend seven hours per month meeting their data protection obligations, which equates to £1,075 per year, according to the FSB. Recognising that some small businesses will not be compliant ahead of the May deadline, the FSB has appealed to the regulator, the ICO, to take a proportionate approach to enforcement and not immediately to resort to fines.

What actions need to happen before 25 May 2018

We have been reviewing our own Data Protection Policies, and we have now issued to all our clients a Data Sharing Agreement, along with mailing out our policies on how we will ensure that we protect and handle client data.

We are also updating all our client’s Handbooks with an Employment Data Protection Policy, which will cover your employees’ responsibilities and rights. It is not meant, and indeed does not cover, what data you hold about your customers or others, and what practices you have in place to keep it secure. So you need to be taking steps to prepare for this.

It is likely that the ICO will not be able to, or inclined to, start enforcement action against SMEs unless they are blatantly doing something terrible, but that is not an excuse for procrastination. We are already seeing signs that large organisations will be expecting their suppliers to have in place relevant Data Protection policies, or answer rigorous questionnaires, so it is best to be ready for this, and be able to show what you do to keep their data secure. Data holders (Controllers or Processors) will have to ensure that they have safeguards in place to prevent the accidental loss, destruction or damage of data or unauthorised access. They should also review how they seek, record and manage consent to personal data being held by their organisation.

Please feel free to ask any questions of our Consultants who would be pleased to advise on any element of this newsletter.

New Statutory Figures

The annual increase in compensation limits have been confirmed.  The limits apply to dismissals (redundancies or detriments etc.) occurring on or after 6th April 2018.

  • £508.00 – the maximum amount of a week’s pay for calculating statutory redundancy pay and the basic award; (up from £489.00)
  • £15,240.00 – the maximum statutory redundancy payment or basic award, i.e. 30 weeks (up from £14,670.00);
  • £83,682.00 – the maximum compensatory award which can be made for unfair dismissal (up from £80,541.00)  or one year’s gross pay whichever is the lower

These increases mean that the maximum total unfair dismissal award is now £98,922.00, although uplifts can add a further 25%.

Employees may be entitled to receive guarantee payments for up to five days of lay-off in any three-month period. The maximum amount of such a statutory guarantee payment will increase to £28.00 (from £27.00) for any one day.

The new rates take effect where the ‘appropriate date’ for the cause of action (such as the date of termination in an unfair dismissal claim) falls on or after 6th April 2018. If the appropriate date falls before 6th April, the old limits will still apply, irrespective of the date on which compensation is awarded.

Fit for Work – No more

From 15th December 2017, ‘Fit for Work’ has no longer been running its referral and assessment service. Free, professional advice is available in a number of ways. All of the advice and guidance elements of ‘Fit for Work’ remain in place, as the website (the most highly used aspect of the service) and helpline remain open.

The service was part of the Government’s efforts to find solutions to keep people in work (and off benefits). Reforms to Statutory Sick Pay (SSP) will be set out in a separate consultation paper, to include proposals designed to allow greater flexibility in the payment of SSP (for example, to support phased returns to work).

The ‘Fit for Work’ service was meant to aid employees who have been absent for more than four weeks, and to plug the gap in access to Occupational Health services. It was conceived just over two years ago as a way to boost medical interventions, by allowing employees to be targeted by GPs by referring them for ‘specialist help’. The scheme never really took off and has now been scrapped due to low take-up rates. Given that a survey in August showed that 65% of GPs had not referred a single patient and of those that had, only 40% had seen someone return to work.

We were never fans as we doubted whether the Government could attract and retain good quality staff that would actually see people, and make considered individually tailored recommendations that were reasonably practicable. We would nearly always recommend to employers that they use a reputable professional OH service to review the health and work of sick employees. We always advise clients that asking employee’s GPs for a report is unlikely to be too helpful, as the quality of response is often poor, reflecting their lack of knowledge about the employer’s jobs/environment.

Actions:

  • There is no need to have a retained OH provider but it is useful to know of one (or know someone who does)
  • Conduct return to work interviews which should pick up if people are returning to work when not fully fit
  • Do not let people drift once they have gone beyond four weeks of absence; get them referred to a reputable OH provider
  • Ensure that you give an OH provider a clear and realistic brief.

We would be pleased to recommend a good quality OH provider to employers who need this assistance.

Looking Ahead – Payslips

Arising from the Taylor Review into modern working practices, the Employment Rights Act 1996 (Itemised Pay Statement) (Amendment) Order 2018 has been laid before Parliament. This is a small but important amendment, which will require employers to set out on payslips the number of hours that an employee is being paid for; and where different hourly rates apply for different hours, to specify this. Where an employee’s pay varies as a consequence of the time worked, their itemised pay statement must contain information about the number of hours worked. This should make it easier for employees to understand what they have been paid for – and whether they have been underpaid.

We believe this is because the current legislation focuses on deductions, but for many people with variable hours, the difficulty lies in calculating gross figures.

The Order doesn’t come into force until 6th April 2019 so employers have plenty of time to prepare.

Our Consultants would be pleased to answer questions on any of the above, or you can find much of the data on our website, by clicking on Frequently Asked Questions.

The General Date Protection Regulations (GDPR) will apply in all EU Member States from 25th May 2018. It is important to stress that the GDPR is about much more than employee data. It is becoming increasingly clear to us that our extensive range of clients have a wide range of data protections issues, far beyond the employee information which they hold, and many do not meet the current Data Protection Act, let alone the even more onerous GDPR, so they are just not prepared. Our previous newsletter focussed on employee data. This newsletter will concentrate on broader issues which you need to thinking about with regard to what personal data as an organisation you process, store and dispose of.

One of the first things to consider is whether the organisation is processing personal data as a controller or a processor. A processor just acts on the instructions of the controller.

Countdown to 2018

The GDPR will harmonise data privacy practice across Europe. The emphasis is on protecting citizens and their data, and giving users more information about, and control over, how it’s used. There are a large number of national derogations. It is also likely there will be differences in the way the Regulation is interpreted and enforced in different Member States. It is believed that the British Data Protection Bill will not be ‘gold-plated’, i.e. not made more onerous than the EU Directive, on its way to becoming an Act of Parliament. The new law gives individuals more say over what organisations can do with their personal data (which can be anything from physical, physiological, mental, economic or cultural data and more).

The new law retains the same core rules as the Data Protection Act 1998 (DPA), and continues to regulate the processing of personal data, but there are some significant changes. These include the right to be forgotten, the right to request the porting of one’s personal data to a new organisation, the right to object to certain processing activities and to decisions taken by automated processes.

The concept of sensitive personal data has been retained and expanded to include genetic and biometric data. The actual term ‘sensitive personal data’ has been dropped, but is now re-termed as falling into ‘special categories’, i.e. information concerning a data subject’s racial or ethnic origin, political opinions, religious beliefs, trade union activities, physical or mental health, sexual life, or details of criminal offences.

Board or Senior Management Issues

Data protection needs to become a boardroom issue, as the law is designed to put data protection at the top of the agenda for all organisations. This is done by creating a culture where everyone contributes to maintaining data privacy standards, ensuring compliance, thinking about how their own personal information to be processed, as well as handling the personal data of others, i.e. the people they deal with, such as customers/clients, patients, guests, residents, other stakeholders, members of the public etc.

Also, it’s not just about the threat of financial penalties. Individuals need to trust the organisations they are providing their personal information to, and have confidence that their information will be handled appropriately and securely, as without that trust there will be huge organisational challenges to overcome.

The GDPR introduces the principle of accountability which runs through the core of the legislation. Accountability needs to be entrenched in an organisation, requiring a change in mind-set and for organisations to take a proactive, methodical and accountable approach toward compliance. The Senior Management Team need to understand the potential exposure to fines, and other sanctions under the GDPR, and must get buy-in for compliance at all levels across the organisation.

Compliance

Organisations must be able to demonstrate their compliance with the GDPR’s principles, which will include adopting certain “data protection by design” measures, staff training programmes, and having suitable data protection policies and procedures.

You will need to identify means to “demonstrate compliance” – e.g. adherence to approved codes of conduct, “paper trails” of decisions relating to data processing and, where appropriate, privacy impact assessments.

Your internal governance processes will need to demonstrate how decisions to use data for further processing purposes have been reached and, that relevant factors have been considered.

Consent and Legitimate Interests

You need to ensure you are clear about the grounds for lawful processing relied on by your organisation, and check these grounds will still be applicable under the legal requirements. Consent is not the only mechanism for justifying the processing of personal data.

The processing of personal data will only be lawful if it satisfies at least one of the following conditions:

  • Consent of the data subject – this is broadly the same as under the DPA, but the GDPR has a narrower view of what constitutes consent, meaning that it will become harder to obtain consent. In practice, this means that data controllers will have to fall back on other processing conditions.
  • Necessary for compliance with a legal obligation – this is broadly the same as under the DPA. However, under the GDPR, the legal obligation must be an obligation of Member State or EU law to which the controller is subject.
  • Necessary for the performance of a contract with the data subject, or to take steps preparatory to such a contract – again, no change from current law.
  • Necessary to protect the vital interests of a data subject, or another person where the data subject is incapable of giving consent – this should only be relied on when there is no other ground available, e.g. medical emergencies.
  • Necessary for the performance of a task carried out in the public interest, or in the exercise of official authority vested in the controller.
  • Necessary for the purposes of legitimate interests – this condition can no longer be relied on by public authorities, but is probably the most important for many other organisations.

If you are relying on “legitimate interests”, ensure that decision-making in relation to the balance between the interests of the controller (or relevant third party) and the rights of data subjects are documented, particularly where this affects children. Make sure also that data subjects would reasonably expect their data to be processed on the basis of the legitimate interests of the controller or relevant third party. You will also need to make sure that you advise people of this reason in the information that must be supplied to data subjects. A legitimate interest ‘must be real and not too vague’. For example, it may apply to an organisation’s data processing as part of fraud protection, security measures or transferring that data between different parts of an organisation.In some ways the best reason is that the individual has consented to you processing their data. The standard to obtain valid consent has, however, been tightened up. Consent must be specific, freely given, informed and unambiguous. The conditions for obtaining consent have become stricter. To justify consent from a legal perspective, ensure that:

  • consent is active, and does not rely on silence, inactivity or pre-ticked boxes;
  • consent to processing must be distinguishable, clear, and not “bundled” with other written agreements or declarations; there is a presumption that forced consent mechanisms will not be valid, so it must be clear exactly what people are assenting to;
  • consent requests are separate from other terms and conditions; organisations should avoid making consent a precondition of a service, unless necessary for that service, and must not be used as a vehicle to get consent to something else, e.g. receiving email;
  • the data subject must have the right to withdraw consent at any time, but this will not affect the lawfulness of consensual processing before its withdrawal;
  • there are simple methods for withdrawing consent, including methods using the same medium used to obtain consent in the first place;
  • separate consents are obtained for distinct processing operations; and
    • consent is not relied on where there is a clear imbalance of power between the data subject and the controller;

Further guidance is expected, but organisations will need to review existing consent mechanisms, to ensure they present genuine and granular choice. Granular means that you give a thorough explanation of options to consent to different types of processing wherever appropriate. You will need to determine whether any of your current processing is based on assumed consent and if so, this must be stopped, unless you can get consent, or have another legal basis for the processing. You must audit data privacy notices and policies to ensure that individuals are told about their right to object, clearly and separately, at the point of ‘first communication’. For online services, ensure there is an automated way for this to be effected.

Security

Controllers and processors are required to implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk. The assessment of what might be appropriate involves considering the context and purposes of the processing, as well as the risk of varying likelihood and severity for the rights and freedoms of individuals.

Appropriate measures are set out as possibly including:

  • pseudonymisation (separation of data from direct identifiers so that linkage to an identity is not possible without additional data to re-identify the person);
  • anonymisation irreversibly destroys any way of identifying the data subject;
  • encryption and other measures, such as firewalls, to prevent hacking;
  • ensuring confidentiality, integrity, availability and resilience of processing systems and services;
  • ability to restore availability and access to personal data in a timely manner in the event of an incident; and
  • the regular testing and evaluating of technical and organisational measures designed to ensure security of data processing;

The best way for organisations to deal with this is to minimise breaches, but also to have policies in place to enable staff to assess risk in order to show compliance. As with so much of the GDPR, being able to demonstrate that the proper precautions and steps were taken will be crucial. If your security measures are currently fit for purpose, you are unlikely to need to do much more. However, it would be worth reviewing these measures to ensure they are up to date with the latest technology and threats. However, many changes are not about technology it is simple stuff like not leaving files on photocopiers, or on desks or screens when we are not there.

In a recent case against Morrison Supermarkets, the High Court has held that an employer was vicariously liable for the actions of a disgruntled employee who disclosed the personal information of around 100,000 colleagues on the internet. Although the disclosure took place outside working hours, and from the employee’s personal computer, there was a sufficient connection between the employee’s employment and the wrongful conduct for it to be right to hold the employer liable. There is no suggestion that Morrison was negligent, but they are facing a potentially large amount in compensation. This highlights another warning about how the employer can be held responsible for the acts, lawful and unlawful, of its employees.

Subject Rights

Many existing rights are retained or enhanced in GDPR, and there are some new ones. Here is a selection:

Subject Access

The right is retained, but it will no longer be permissible to charge a fee, and the time limit is reduced from 40 days to a month.

Rectification

The Data Subject can have incorrect data corrected and incomplete data completed.

Erasure (“right to be forgotten”)

The Data Subject can tell you to erase their information and you must do so unless you have a good reason (from among the options set out in GDPR) to retain it.

Restriction of Processing

The Data Subject can restrict your processing of their data if there is an unresolved question of its accuracy, and in some other specified situations.

Portability

In certain cases (mainly where the Data Subject has signed up to online services), they can have their data transferred directly to another provider.

Direct Marketing

As now, the Data Subject has the right to stop you from sending them any direct marketing, and you must make sure they know about this right. If you currently send email campaigns, you need to make sure your audience has opted in to receive information, and that you have a record of when and where that person opted in. (To prove it was a person and not a ‘bot’, a ‘double opt-in’ is required). This may mean re-opting in all the people on your mailing list before May next year.

Profiling & Automated Decision-Making

There is a new right giving people the right, in some cases, to prevent “a decision based solely on automated processing, including profiling, which produces legal effects concerning him or her’.

Complaints and Compensation

Data Subjects have the right to complain to the ‘supervisory authority’ – i.e. the Information Commissioner – and have the complaint investigated.

Data Sharing with Other Organisations

If you process personal data as part of work in collaboration with other organisations, then both or all organisations are likely to be joint Controllers. Under GDPR you can’t pass the buck between processor and controller. Each business is responsible for upholding the same standards, and you’ll want to work with businesses who are GDPR-compliant. You must set out ‘in a transparent manner’ your respective Data Protection responsibilities, and to make the ‘essence’ of the arrangement available to your Data Subjects. Data Subjects may exercise their rights against any of the joint Controllers.

Work with relevant partners who may collect data on your organisation’s behalf to assign responsibility for notice review, update and approval. You need to review all your collaborative projects and activities to ensure that, where applicable, your agreements are clear on each party’s Data Protection responsibilities.

Controllers and processors are also required to ensure anyone acting under their authority accessing the personal data, does so only in accordance with their instructions. Compliance may (but does not have to) be demonstrated by adherence to an approved code of conduct or certification mechanism.

Controllers and processors should agree to report to other controllers or processors that are involved in the same processing, any relevant compliance breaches and any complaints or claims received from relevant data subjects. They should agree on their respective obligations for data protection compliance, their respective liabilities for data protection breaches and mechanisms for resolving disputes regarding respective liabilities to settle compensation claims.

Action

Assign responsibility and budget for data protection compliance within your organisation. Whether or not you decide to appoint a Data Protection Officer (DPO), (or have to) the GDPR’s long list of data governance measures necessitates ownership for their adoption being allocated within an organisation.

Ensure that a full compliance programme is designed for your organisation, incorporating features such as: Privacy Impact Assessments (PIAs), and regular audits of data, data protection updates, and training/awareness raising programmes.

Monitor the publication of supervisory authorities/EU and industry published supplier terms and codes of practice to see if they are suitable for use by your organisation. If you are a supplier, consider the impact of the GDPR’s provisions on your cost structure and responsibility for signing off the legality of your customer’s activities.

Implement measures to prepare records of your organisation’s processing activities. If you are a supplier develop your strategy for dealing with customer requests for assisting with the development of such records.

Teamwork not just IT

You should establish a GDPR compliance team with the necessary skills and experience to develop; implement and coordinate a compliance plan. Initially this will mean analysing existing data processing activities across the organisation’s employment lifecycle to identify high-risk areas.

Develop a timeline to implement a GDPR compliance programme.

Next Steps

  1. Carry out a risk assessment (PIA) and then act on the results:
    1. Document all current processes and data flows
    2. Analyse any potential areas of weakness or vulnerability
  2. Document:
    1. What personal data you hold and why?
    2. Where it came from?
    3. Who you share it with?
    4. Business relationships with service providers, data providers and contractors and ensure they are GDPR compliant.
  3. Identify the lawful basis for your processing activity.
  4. Review/establish processes for seeking, recording and managing consent and refresh consents if they do not comply with GDPR.
  5. Document the procedure in place to detect report and investigate personal data breaches and audit them.
  6. Document and review procedures for communicating privacy; dealing with individuals rights re erasure, subject access requests, objections; transfer of data etc.

Checklist

  • Make someone responsible for managing GDPR and data strategy.
  • Add opt-ins to all your digital marketing, and ensure you get a double opt in.
  • Restrict access to personal data to only those who need to have access to it.
  • Ensure you have up to date security systems, such as firewalls, backups, encryption and authentication and test them on a regular basis.
  • Explain to users, in plain language, what data you’re holding, how long you’re holding it for, and how users can withdraw their consent. Your policy has to be simple, appropriate, and contain all the required information.
  • Develop a detailed breach response plan, including when to notify regulators and individuals, as well as how to handle data breaches from a media perspective.
  • Consider making financial provision to handle transitional costs, any data breaches and taking out insurance to cover data breaches.
  • Keep records of any data breaches, what data was compromised and how the breach was dealt with as well as what steps are being taken to ensure that type of breach does not re-occur.

We are not saying that this is all you need to know about Data Protection, but if you address these issues it is likely that you will have covered all the most important matters.

 

Please feel free to ask any questions of our Consultants who would be pleased to advise on any element of this newsletter.