The GDPR (General Data Protection Regulation) has been in effect for almost a year now, but there is still a sense of confusion and uncertainty around the topic of complying with the new data protection laws. We’d need an abundance of blogs to make every element of GDPR compliance clear and understandable. So let’s start with the basics…the need to register.
In short, all organisations processing personal data must comply with the requirements of the new law, including the need to register. But what counts as personal data? What does process data actually mean? How do I know if my company needs to register? If you’re scratching your head and finding the whole process as clear as mud, read on…it could save you a hefty fine!
What is personal data?
In short, personal data is any information held that could identify a person. The obvious, direct identifiers are people’s names, addresses, personal identification numbers, CCTV images, etc. But GDPR goes deeper than this and includes any information that, if combined, means a person can be identified indirectly.
Examples of indirect data identifiers are a person’s date of birth, financial information, education or employment information, business telephone numbers or email addresses. These examples on their own cannot identify an individual (though they may well do on the Isle of Man), but combined with other information they can. If you hold business email addresses for your contacts, there is nothing stopping you searching that email address and being able to identify the individual behind the address.
The scope of what constitutes as personal data is infinite and it comes in all shapes and sizes. It could include vehicle registration numbers, tenant’s details on an agreement, communication that comes to your company from your website, contact details held for third parties you use to support your business, customer contact details, CCTV images, IP addresses…basically any information that could potentially identify someone.
Do you hold email addresses, names and telephone numbers for companies that your business interacts with? If so, you are holding personal data and you probably have a requirement to register.
Does my company process personal data?
If you collect, store or record personal data either electronically or in hardcopy then you process personal data. Examples of this in practice could be staff management and payroll administration, access to/consultation of a contacts database, sending promotional emails, adding a photo of a person to a website/company social media site, storing IP/MAC addresses, etc. Again, the list goes on.
In simple terms, if you perform any operation using information that could identify a person, you will need to register to comply with the law.
Exemptions from registering
You are exempt from the need to register for data protection if personal data is solely processed to:
- administer your own staff;
- administer the accounts and records of the organisation or business.
Each of these exemptions come with their own set of criteria which can be found here. Your company must meet all the criteria on the list to qualify for exemption. Generally only the simplest of businesses will fall within the scope of the exemption.
I’m still not sure if I need to register my company
Thankfully, the Isle of Man Information Commissioner (IOMIC) has a handy little questionnaire to follow if you’re still unsure whether or not to register. You can find it here. At Middleton Katz, our advice would be to err on the side of caution when it comes to personal data. The potential penalties associated with non-compliance are rather robust (fines of up to £10,000 and directors may also be personally liable for offences). The cost of registration is slight in comparison (£70).
You can find a wealth of information on the Isle of Man’s Information Commissioner’s website that will help your company comply with the new laws.
It is the responsibility of each Isle of Man Company to review and assess the relevance of the Data Protection Act 2018. If you would like the assistance of Middleton Katz to complete and maintain the registration on your behalf, please contact our Data Protection Officer, at firstname.lastname@example.org or call us on 01624 648500.