Data Protection – what you need to know

If you store personal data about individuals, you should be registered with the UK Government’s Information Commissioner’s Office (ICO) as a Data Controller. For example, a personnel system is an obvious example of a system which stores personal information.

Whether you are storing the information on your own hardware at your office, using a hosted server, or even using a cloud based software service also known as Software as a Service (SaaS), you should be registered.

It is sufficient for a business to register – you don’t have to name an individual within your organisation with Data Controller responsibilities as that employee might change. It’s not expensive to register but will require you to provide some information as to the nature of the data being stored. You will also need to be familiar with the 8 principles of data protection as set out by the ICO which will help you comply with any laws relating to the Data Protection Act.

As IT has become more prevalent in everything we do, especially data collection, some IT systems are used and managed by a chain of organisations that provide support or are subcontracted or paid to facilitate the use of IT systems to gather or provide personal information. With this in mind, a clear distinction has been made between Data Controllers and Data Processors.

In simple terms a Data Controller is an organisation that makes a decision to collect and store personal information in an organised or structured form, usually in the form of an IT system. This might be using software or a database they’ve purchased off the shelf, a bespoke system written specifically for their needs, or even software as a service (SaaS).

In all cases it is the organisation that makes the decision to collect and store the information that has Data Controller responsibilities, and this responsibility cannot be passed on to another organisation, even if other organisations are involved in facilitating the collection or management of the data, or are providing IT support or the IT systems concerned.

Only Data Controllers can register with the ICO, and Data Controllers have sole responsibility for ensuring that any systems they use are adhering to the relevant laws and the eight principles set out in the guide linked at the end of this post. For this reason, it’s important that Data Controllers familiarise themselves with the requirements.

Data Processors are any organisation that are involved with providing assistance with the processing of the data being collected by or on behalf of the Data Controllers. Data Controllers may rely on 3rd party Data Processors to assist them with adhering to the principles of the Data Protection Act, which is why Data Processors, although not able to register with the ICO, should also be familiar with the principles involved.

The following resources from the ICO are useful for both Data Controllers and Data Processors:

The ICO’s main website
The ICO’s guide to data protection including the eight principles involved
The ICO’s guide to help differentiate Data Controllers and Data Processors

The guides are well written, and provide greater clarity and more detail on this subject. They’re definitely worth reading, and are a necessity if the topic is relevant to you and your business.

We operate as Data Processors for various organisations, whether they are using our software services or our IT Support service.

Cookie	Duration	Description
cookielawinfo-checkbox-analytics	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Analytics".
cookielawinfo-checkbox-functional	11 months	The cookie is set by GDPR cookie consent to record the user consent for the cookies in the category "Functional".
cookielawinfo-checkbox-necessary	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookies is used to store the user consent for the cookies in the category "Necessary".
cookielawinfo-checkbox-others	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Other.
cookielawinfo-checkbox-performance	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Performance".
CookieLawInfoConsent	1 year	Records the default button state of the corresponding category & the status of CCPA. It works only in coordination with the primary cookie.
viewed_cookie_policy	11 months	The cookie is set by the GDPR Cookie Consent plugin and is used to store whether or not user has consented to the use of cookies. It does not store any personal data.

Cookie	Duration	Description
_ga	2 years	The _ga cookie, installed by Google Analytics, calculates visitor, session and campaign data and also keeps track of site usage for the site's analytics report. The cookie stores information anonymously and assigns a randomly generated number to recognize unique visitors.
_gid	1 day	Installed by Google Analytics, _gid cookie stores information on how visitors use a website, while also creating an analytics report of the website's performance. Some of the data that are collected include the number of visitors, their source, and the pages they visit anonymously.

Data Protection – what you need to know

Author: Robert Tokeley