GDPR for Sole Traders – Controllers, Processors and ICO Registration

This entry is part 4 of 5 in the series GDPR for Sole Traders

This morning my other half mentioned a concern that was popping up about ICO registration fees for sole traders working with personal data under GDPR. Since there seems to be a lot of confusion (including from the ICO phone staff themselves who have been reported as giving varying answers to the same people) I thought I’d try and help. All the usual provisos apply, and I am working only from the information published by the ICO – simply summarising it and cutting out some of the parts I don’t think are relevant.

First of all, the way that the ICO is funded and the requirements for notification/registration have changed. I won’t go into the old rules, but the new ones are quite simple – there is now a legal requirement for data controllers to pay a data protection fee to the ICO. These fees are not unreasonable, running between £40 to £2900 per year depending on size and turnover. You can also get a £5 discount for paying by direct debit. Data processors do not need to pay this fee. There are certain other exemptions, but frankly they really only complicate the issue for most sole traders. I will talk about them shortly, but the core issue is that difference between controllers and processors – which is fundamentally quite simple but poorly explained.

The definition is this – a data controller determines the purposes for which data is processed. For most sole traders and small businesses who work with personal data, this will not be the case – in the vast majority of cases you will be fulfilling a commission or contract for a client, which means that you are not determining the purpose of processing any data they have passed you. You will still have the same duty to protect that data under the GDPR of course, but are not the data controller and so do not have to pay the data protection fee to the ICO. If, however, you are gathering the data, determining the purposes of processing and analysis, or anything similar then you will either need to pay the fee or rely on one of the other exemptions.

A data processor meanwhile may process the data, but does not decide the purposes of processing. As an example – a translator asked to translate a CV by an individual or a company is the data processor, while the client would be the data controller. A data processor does not have to pay the ICO data protection fee.

What if I am a data controller?

If you are a data controller there are certain exemptions which might apply, for example if your only purpose in processing data is staff administration you are exempt from the fee. In general though you will need to pay it – the exemptions are clear and narrow in terms of the data you can process and the purposes of processing it. Unless everything you process (where you are defining the purposes of processing it, not a client) falls under the exemptions then you will need to pay the fee.

The exemptions are listed, clearly, in the ICO’s own literature:

  • Staff administration
  • Advertising, marketing and public relations
  • Accounts and records
  • Not-for-profit purposes
  • Personal, family or household affairs
  • Maintaining a public register
  • Judicial functions
  • Processing personal information without an automated system such as a computer

Take special note of that last one – the definition the ICO is using here of an automated system is different to the GDPR’s definition of automated processing. In essence, if you are using any system with any level of automation for any point in the processing of data, then you do not fall under this exemption. Hopefully the others and the reasons for them are clear.

As always, feel free to send me any questions either here or on Twitter, and hopefully the picture is a little clearer for some of you now.

Series Navigation<< GDPR for Sole Traders – Contract Lawful BasisGDPR for Sole Traders – A Summary Presentation >>

2 Replies to “GDPR for Sole Traders – Controllers, Processors and ICO Registration”

  1. Can anyone advise whether I need to take action re GDPR please? Private company holding freehold to building, shareholders are lessees, residents who are not lessees have no data held. No customers, no trading – only business is maintenance of building as a group.. I sincerely hope we aren’t going to have to jump through hoops…

    1. You will need to comply with GDPR, however that doesn’t mean there’s a lot of hoops. Shareholders data, and employees, can be held under contractual basis which means the company would need to:
      – inform shareholders/employees if there is a change of purpose to something other than fulfilling contractual/legal obligations (which seems unlikely to happen)
      – make sure you’re only storing the data you need to (i.e. contact information would be necessary, birth dates wouldn’t be)
      – practice reasonable security

      On top of that I believe company law requires you to hold certain data about shareholders (I am not a lawyer), which would trump any GDPR provisions as existing legislation continues to apply in these circumstances, regardless of what GDPR says.

      No need to jump through a lot of hoops on this one that I can see. Hope this helps, but if you’ve got any other questions feel free to ask here or drop me a message on Twitter.

Join the discussion

This site uses Akismet to reduce spam. Learn how your comment data is processed.