Start now on the Information Commissioner's Office (ICO) website
You must notify the Information Commissioner’s Office (ICO) if your organisation processes personal data in an automated form.
‘Personal data’ means data that relates to a living person who can be identified from that data. It includes employment details, client information and information captured on CCTV.
If you do process personal data, your organisation is a ‘data controller’ for the purposes of the Data Protection Act 1998.
Most organisations must notify the ICO unless they only process personal data for the following purposes:
- staff administration (including payroll)
- advertising, marketing and public relations for their own business
- accounts and records
- judicial functions
- personal, family or household affairs (including recreational purposes)
The following are also exempt from the requirement to register:
- some not-for-profit organisations
- data controllers who only process personal data for the maintenance of a public register
- data controllers who do not process personal data on computer
You should always check with the ICO if you are unsure whether you are exempt from notification.
How to notify
You can notify the ICO by:
- filling in an online notification form, printing it out and sending it to the ICO
- completing a notification form request and posting it to the ICO
- ringing the ICO’s notification helpline and requesting a notification form
You need to fill in details of your organisation and a general description of the processing of personal information being carried out by the data controller.
A notification fee of £500 applies to data controllers with either:
- a turnover of £25.9 million and 250 or more members of staff
- if they are a public authority with 250 or more members of staff.
All other data controllers - including registered charities and small occupational pension schemes, regardless of their size and turnover - must pay £35 per year unless they are exempt.
Once you have successfully notified the ICO, the details of your organisation will be entered on the register of data controllers.
You need to renew your registration each year. If you fail to do so you are committing a criminal offence and could be faced with an unlimited fine. The ICO will write to you before the expiry date and explain the process for renewing your entry on the register.