The ICO is an acronym for the Information Commissioner’s Office in the UK. This is the government authority that enforces Data Protection Laws in the UK. The ICO has recently started targeting UK businesses owned by foreign residents (English Limited Companies, Scottish LP Partnerships etc) that are not registered for data protection purposes.
If you are found to be non-compliant, the fines can be substantial. Perhaps even worse, sanctions could damage the international reputation of your business. A black mark against your company’s record could deter banks, clients and suppliers from doing business with you in the future.
On the other hand, registering under the UK’s Data Protection Act costs very little. It can enhance your reputation, create substance for your business and give clients added confidence in your company all in one stroke. It’s a quick, cheap and simple way to demonstrate publicly that you are running a legally compliant business, and that you are serious and professional in your business dealings.
This article therefore addresses the question: Does your UK company or partnership need to register with the ICO? It also looks at the pros and cons, costs and requirements. It is aimed at foreign or offshore owners of UK businesses of all types (for example Limited companies, Scottish Limited Partnerships, LLPs, and UK branches of offshore companies)
What is Data Protection Registration?
The basic goal of the UK Data Protection rules is to safeguard the data of third parties, and all our respective private lives. This is done through enforcing certain data protection standards – including keeping a public register of companies that are processing personal data. The Data Protection Public Register can be consulted here.
Registering with the ICO under the Data Protection Act is a legal requirement for most businesses in the UK. This has been the case since the UK’s first data protection legislation was passed back in 1984. Nearly all British businesses that have a real physical presence in the UK are registered and comply with this law. It is something that is taken for granted in the British business community – like the fact that you need a driving license if you are going to drive a car on a public road.
However, enforcement has traditionally been very lax, almost non-existent, in the sphere of the hundreds of thousands of UK companies that are controlled by non-residents and do not do business in the UK. The general view has always been that if companies are not doing business in the UK, the rules do not apply to them. This view has little legal basis.
Partly as a consequence of Brexit, this lax enforcement environment has now changed. As of 2021, the Information Commissioner’s Office has taken on a new, more aggressive role. It has started a campaign identifying UK companies operating on the internet that are not registered and they believe should be. In typical British style, they are writing letters to these companies “inviting” them to comply with the law. You should not, however, be fooled by the typical British politeness and understatement in these letters: those who ignore these “invitations” do so at their own risk. Above all, it is much better to comply with the law, rather than wait to be targeted.
Why Increased Enforcement in 2021?
Why the sudden change? European readers will remember the fuss about the introduction of GDPR, the General Data Protection Regulation, across the European Union. In the EU, GDPR was adopted on 14 April 2016 and became enforceable beginning 25 May 2018. In early 2018 there was a rush for businesses to become compliant and we all received lots of emails from companies asking us for explicit permission to store and manage our personal data.
At the time GDPR happened, the UK was a member of the European Union so British businesses came under the scope of GDPR. With Brexit, however, things have changed. According to the ICO’s website, “The EU GDPR is an EU Regulation and it no longer applies to the UK. If you operate inside the UK, you need to comply with the Data Protection Act 2018 (DPA 2018). The provisions of the EU GDPR have been incorporated directly into UK law as the UK GDPR.” What this basically means is that the rules have not changed, but they are no longer under EU jurisdiction.
This legislation is politically very important to the British government. It allows data to flow between the UK and the rest of Europe (or, to be more precise, the EEA.) If the EU doesn’t approve the UK’s Data Protection Legislation, it could stop European businesses sharing data with their UK counterparts – something that, in today’s digital world, could be an economic disaster for the UK. You can now begin to understand, therefore, this new emphasis on enforcement and compliance in the UK.
!!! Earlier this year, The Information Commissioner’s Office (ICO) fined American Express GBP 90,000 for sending marketing emails to customers who did not want to receive them. American Express was also publicly named and shamed. Follow the advice in this article and don’t let your company be the next example!!!
Of course, maybe it’s simpler than that: perhaps the ICO needs money. Foreign-owned companies that are not compliant could be an easy target.
Whatever the reason, if you chose to set up a UK company because of the reputation of the jurisdiction, it certainly makes sense to be seen to be proactively compliant with applicable laws.
Who Needs to Register under the Data Protection Act 2018?
The guiding principle is that any company that uses a computer to process personal data must be registered. If your UK company maintains all its files related to third parties on paper, in theory you do not need to register. The same applies if you do not process any personal data.
However, the moment the company stores any personal information (even an email address in Outlook, or storing a client’s WhatsApp number on a phone for business purposes) that classifies as processing personal data and you are obliged to register.
There are certain limited exemptions to the British Data Protection Act 2018. You don’t have to register if you only handle personal data for one or more of the following reasons:
- staff administration (HR)
- advertising, marketing and PR
- accounts and record keeping
- not-for-profit purposes
- personal, family or household affairs (family office)
- maintaining a public register
- judicial functions
- processing personal information without an automated system (ie old fashioned paper files)
So long as your UK company’s data processing remains strictly within the exemptions above, then there is no need to register with the ICO. However, even if you are exempt from registration, it may be advisable to register voluntarily for public transparency and in case any of your processing should accidentally move beyond the scope of the exemptions.
What is Required to Register with the ICO and what will I receive?
The good news is that it’s not difficult at all to register. Most companies simply need to register basic details on file, such as the company number and address. This will appear on the public register and, as such, will enhance credibility of the business. You will receive a registration number that you can publish on your website, publicity material, letterhead etc.
Most companies do not need to appoint a professional Data Protection Officer (DPO). If they choose to do so, however, the Data Protection Officer’s details must be registered too.
The UK GDPR requires your company to appoint a DPO if you are a public authority or body, or if you carry out certain types of specific data processing activities.
The DPO’s role is to monitor internal compliance, inform and advise on your data protection obligations, provide advice regarding Data Protection Impact Assessments (DPIAs) and act as a contact point for data subjects and the Information Commissioner’s Office (ICO). The DPO must be independent, a qualified expert in data protection, adequately resourced, and report to the highest management level. A DPO can be an existing employee or outsourced. According to the ICO, “DPOs can help you demonstrate compliance and are part of the enhanced focus on accountability.”
International Wealth’s Service for UK Data Protection Registration
Have you already received a letter from the ICO inviting you to comply? Or are you a smart international business person who would like to bring your UK company into compliance without risking an investigation and ICO enforcement action?
Offshore Pro Group, the parent company and owner of the International Wealth portal, now offers professional services to help non-resident owners of UK companies to comply with their Data Protection obligations.
Our BASIC SERVICE includes registration of your UK company on the ICO website (also including government fees) and one hour of expert consulting on data protection compliance to make sure your company complies with all legal obligations. This consultation may be provided either by email or by Zoom meeting, in English. The fixed fee for this service is GBP 995.
Our ENHANCED SERVICE includes everything in the basic service, plus provision of an outsourced professional Data Protection Officer on an annual renewable basis, including development of a set of policies and protocols tailored for your overseas-managed UK company. The cost of this service depends on our initial assessment of the work involved.
Please feel free to discuss these services and fees with your Relationship Manager. If you are not yet sure what you need, our advice is to sign up for the basic service first. Subsequently, during the consultation as our expert lawyer fully understands the requirements of your company, you can discuss if there is any need for enhanced service. In our professional experience, most clients will only need the Basic service. Enhanced services will be applicable to companies processing more specific data: social media, gaming and financial services companies for example might need our enhanced services.
Services to Companies that we do not represent as agents
Offshore Pro Group prefers to offer a complete, one-stop service to our clients. Our client base includes international individuals, corporates and institutions that have chosen to base their companies in the United Kingdom, one of the world’s leading international financial centres.
You can gain the most benefit from our service when we manage all the compliance aspects of your company: registered office, maintaining statutory registers, managing share certificates, opening bank accounts and full tax services to name a few of our many professional compliance services for UK companies and Scottish Limited Partnerships. We offer preferential pricing if you retain us for the complete turnkey package of services.
Do you prefer to hire us only to provide Data Protection consulting to a UK company you manage elsewhere? That is possible too.
To discuss your needs in more detail, feel free to contact us. We recommend you write us a detailed email outlining your needs, so our UK specialists can reply directly. If you prefer to contact someone for immediate assistance, our Live Chat and WhatsApp services are at your disposal! We look forward to hearing from you soon.