Your free guide to data protection and marketing compliance
In essence, while data protection is the overarching goal, the GDPR is one of the tools designed to achieve this goal. It represents a comprehensive approach to data protection, aiming to give individuals greater control over their personal data. Therefore, while the terms are interconnected, they are not synonymous; GDPR is a regulatory mechanism within the broader sphere of data protection.
As a small business, you are generally required to register with the Information Commissioner's Office (ICO) in the UK if you process personal data. The ICO is the UK's independent authority set up to uphold information rights and protect personal data.
Most businesses and organisations that handle personal data must pay a data protection fee to the ICO and be listed on the ICO’s register of fee payers. There are a few exceptions, such as businesses that only process personal data for core business purposes like payroll and staff administration. However, these exemptions are limited, and many small businesses do not qualify.
Failure to register can result in fines and penalties, so it's crucial to determine your specific obligations. You can use the ICO’s self-assessment tool on their website to check if you need to register.
Your fee depends in part on your business size and turnover, and ranges from £40 to £2,900 annually.
Not all charities in the UK are required to appoint a Data Protection Officer (DPO) in fact that that job title is likely to disappear when the Data Protection and Digital Information Bill becomes law (anticipated to complete its parliamentary journey in July 2024). However it is advisable to have a data protection lead who is suitably experienced in both data protection and PECR. Data plays a fundamental role in most charities, and having someone responsible for data protection can help monitor compliance. For UK-based charities operating in the EU, retaining a DPO may be necessary to comply with EU GDPR. Your data protection lead doesn't have to be in-house or a lawyer, in fact it may be more cost effective in the long run for smaller charities to outsource the role. Have you looked at my outsourced DPO service?