It’s a point often missed that whilst GDPR abolished data protection registrations the UK maintained the requirement to register in UK law. The registration must be made with the Information Commissioner’s Office (ICO) and a recent case shows that forgetting to do this won’t stop an organisation being fined.
What was the case about?
The First Tier Tribunal (Information Rights) has dismissed an appeal by an organisation against a penalty notice from the ICO for non-payment of the data protection fee. Many organisations are required to pay an annual fee under the Data Protection (Charges and Information) Regulations 2018.
The parties did not dispute the facts; the appellant implicitly accepted that it had not paid the required fee of £40 and that it had received a reminder and Notice of Intent to issue the penalty notice. The appellant said that the direct debit set up to pay the fee was cancelled by mistake. It did not provide any evidence as to how the mistake had happened or why it did not realise that the fee had not been paid.
What is the law?
A breach of the Regulations falls under s.149(5) Data Protection Act 2018 (DPA 2018) and the ICO can serve a penalty notice under section 155(1) of the DPA 2018.
What are the lessons learned?
The tribunal concluded that the appellant had not offered a reasonable excuse for its failure to comply.
Organisations should have systems in place to comply with their obligations under the law. Here the consequences can sometimes be greater than the fine itself – registrations often feature as a key element of due diligence and collecting data without a registration in place could be a breach of Principle (a) of GDPR since data may not have been obtained lawfully and transparently.
This was a point made by the Tribunal Judge Moira Macmillan saying:
“We conclude that a reasonable data controller would have systems in place to comply with the Regulations and that the Appellant has pointed to no particular difficulty or misfortune which explains its departure from the expected standards of a reasonable data controller.”
Organisations should make sure they have processes in place to maintain their registrations. Cordery provides a registration renewal service for a fixed fee here http://www.corderycompliance.com/solutions/privacy-registration-and-renewal/.
For more information please contact Jonathan Armstrong or André Bywater who are lawyers with Cordery in London where their focus is on compliance issues.
Image courtesy of gov.uk website
30 Farringdon Street
London EC4A 4HHOffice: +44 (0)20 7075 1784
30 Farringdon Street
London EC4A 4HHOffice: +44 (0)20 7075 1785