My dog is registered with the ICO: start taking Data Protection seriously
Noodle the DPO
For a while now, the UK's Information Commissioner's Office (ICO) has required businesses to register with the ICO and pay a data protection fee. The size of the fee depends on the size of the business, and the data being processed, and during the registration process, the ICO will even highlight the need for a Data Protection Officer (DPO).
Registration doesn't mean compliance
Unfortunately, a lot of businesses in the UK are misusing their ICO registration. The most common one I've seen is "We don't need a detailed privacy policy because we're registered with the ICO", but registration has also been used as an excuse for not needing a cookie policy, or to disclose data sub-processors.
I've even seen one company claim that because they are registered with the ICO, they don't need to disclose that they are sending data outside the EU to the USA - or even what data it is that they are transferring, or to whom.
The ICO checks address details and requires a valid address, but there is no further checking beyond that. Which meant that I could go all through the process of registering my dog, Noodle, and his consulting business (as a sole trader - some might say a lone woof). Payment of the £52 registration fee would have been taken via a payment service against a disposable virtual debit card - again, verification checks were made against the registered address and the name on the card.
As long as the address is valid ….
Noodle is a perfectly valid DPO (Dog Poo Officer), and I could have proceeded with the registration and then cancelled, but decided to stop it before payment was made - there's such a thing as taking a joke too far, and the ICO doesn't really deserve having its register clogged up even more than it already is.
The ICO isn't doing anything wrong
The problem is not "Oh, the ICO isn't doing enough checks". The problem is that companies think their data protection obligations start and stop at being registered.
The approach to registration is valid, and the ICO are doing everything they need to do. Doing an actual ID check is a problem for a number of reasons - the registered address might not be the same as on the Electoral Roll (hello ex-deputy PM [Angela Rayner!](https://www.bbc.com/news/uk-politics-68885428)), all address details might be against a company address, and there's also the proportionality aspect as well as the need to secure supporting ID documents.
This is an inherent problem with any checks like this, including online age verification, and Know Your Customer (KYC) checks: the process has to support many different combinations of ID checks, but with enough time and effort, anything can be spoofed.
ICO registration means nothing beyond your business has paid the required fee to the ICO. Registration doesn't mean the business is compliant with GDPR (specifically, the UK implementation - the Data Protection Act). Nor does it mean the business is trustworthy, is protecting and managing the data it holds effectively, or that it is meeting its legal obligations.
Compliance is easy
At its most basic level, a privacy policy is the public statement from your business about how it collects, processes, and manages people's data. A complete and detailed privacy policy is the bare minimum all organisations should be producing.
Building a privacy policy is incredibly easy. There is nothing complex or onerous about it:
* What data do you collect?
* How do you collect it?
* Why do you collect it?
* Who has access to it, and why?
* What data subjects' rights are.
The ICO has published an easy to understand table that lays out what you must have, should have, and might have in your privacy policy. You can read the details [here](https://ico.org.uk/for-organisations/uk-gdpr-guidance-and-resources/individual-rights/the-right-to-be-informed/what-privacy-information-should-we-provide/).
There's no excuse for not getting this right. Hopefully, we will see further enforcement action from the ICO to get organisations to meet their legal data protection duties.
If you want to throw me a bone, I'm sure Noodle would be pleased to do some consulting work for you to help you out.