What Is An ICO Certificate And Why It’s Important

In a world filled with data, it becomes very easy to lose sight of what information you are in possession of. Some of it may seem relatively worthless, and some of it may appear highly confidential. Regardless, as a business, you have a duty of care to protect it and save yourself from costly penalties.  If your business handles sensitive data or personal information you are required by law to take care of it per UK GDPR. Also known as the Data Protection Act 2018, this regulation ensures that information is handled, stored and used in specific ways. Not doing so could result in fines as high as £17.5m being issued by the ICO.

Holding an ICO certificate will demonstrate that your business complies as best as it possibly can with the rules set out in the GDPR/DPA. It is a legal requirement and must be paid for by any UK business that processes data, minus a few exemptions. In this edition of our blog, we look at the ICO Certificate and why it would be worth any business having one. In addition, we will dive into the exemptions and costs, so you have a clearer understanding of whether an ICO certificate is required in your business.

how to get an ico certifcate and why it's important

What is an ICO Certificate?

An ICO Certificate is issued by the Information Commissioners Office to businesses that comply with and demonstrate a following of data protection rules. There are a host of ICO UK GDPR certification schemes in operation with plans to introduce more in the future. Some of the most common ones relate to:

  • Age checks
  • Asset recovery
  • Age-appropriate design
  • Provision of training and qualifications services

Several other schemes have been proposed and have not yet been approved. This is not to say they are inappropriate or insufficient. They have may just not been fully reviewed as yet. Upon review, approval may follow and see this list of four grow substantially.

Do I need an ICO Certificate?

In simple terms, if your business handles the personal data of individuals then you must register with the ICO and become certified. In some cases, you may be exempt, which we will dive into a little later. Businesses from small to large will likely need to register with the ICO. Think of it like this; if you process personal information about any individual on electronic devices and it could be used to identify them, you’ll need to pay for ICO registration. You’ll also need to register with the ICO if you use CCTV for crime prevention purposes even if your business does not collect personal data of individuals for its operation.

The majority of businesses process vast levels of personal information from customer names to addresses, employment history to financial records and so much more. This data in the wrong hands can lead to substantial harm for the business and/or individuals.

The ICO report for data incident trends shows that for Q2 of 2024, they were made aware of 3064 data incidents, up 6% from the prior year. Perhaps more alarming are the statistics from the government which inform us that 50% of UK businesses have experienced some form of cyber security breach within the last year.

These figures are alarming, so it is wise to ensure that the processing and handling of data remains compliant at all times.

With there being varying ICO schemes, it may be that one or more apply to your business so you should assess what you need before registering. For example, a retailer selling bladed items would be wise to have age check ICO certification in place.

It is the responsibility of your business to find out whether it needs to be registered. You can do this with a quick self-assessment on the ICO website.

How do I get an ICO certificate?

Once you have completed the self-assessment we referenced above, you can simply follow the process and be fully registered in minutes. If you happen to of missed that bit, head to the ICO website, complete the quick self-assessment (it takes around 10 minutes, if that) and follow the guidance from the site.

Do I have to get a new ICO certificate each year?

Your ICO certificate will expire every twelve months so will require renewal. With the planned release of new ICO schemes, it would be worth checking whether alternate schemes to those you are already on may be more relevant.

How much does an ICO certificate cost?

The cost of your ICO certificate can range from less than £100 to well over £2,000. It will all depend on the size of your business and how much money it turns over. Three tiers have been put in place to categorise each business. Your tier will depend on:

  • Your annual turnover
  • How many people you employ
  • If your business is a public authority, a charity or a small occupational pension scheme

Tier 1

Tier 1 applies to businesses that turnover no more than £632,000 in a financial year or have fewer than 10 people working for you. If you find yourself in tier one, your annual fee is £40.

Tier 2

Tier 2 will apply if your business has a financial year turnover that does not exceed £36 million or has under 250 staff employed. Should this apply, you will pay £60 per year.

Tier 3

Should your business not meet either tier 1 or 2, your fee rises to £2,900. Direct debit payments give a £5 discount on the annual fee regardless of the tier you are in.

Can I avoid paying the fee if I am not exempt?

It would be highly recommended you pay the fee. Fines can range from £400 but be as high as £4,000. In addition to the fine, the ICO publishes the details of the companies that have been issued the penalty notice, as well as the details of those who fulfil their legal obligations.

For compliant businesses, this helps reassure their customers and employees that data handling is taken seriously. For those falling foul, it highlights to customers that their time and money may be better spent elsewhere.

What will I get for paying the ICO?

When you pay your fee to the ICO, you’ll get your ICO Certificate. It doesn’t offer you any additional security or coverage. It simply shows that you process and handle data correctly. This may not sound like much but in the eyes of a wary public, it helps enhance your reputation as a business that treats data security seriously. You will appear on the register provided by the ICO as a business that takes care of how it handles data and valuable information. It is perhaps worth remembering that whether you pay £40 or £2,900 for your ICO certification, you could be fined up to £4,000 for not obtaining one and a further £17.5 million for breaching the GDPR rules!

Who is exempt from needing ICO certification?

Earlier on we touched upon exemptions and there are a few to be aware of. Your business may fall under one of the categories!

Firstly, if you do not process any personal data, you’ll not need to pay for an ICO certificate and will remain exempt. Secondly, if you do process personal data but do not use a computer or other electronic device to do so, you will not have to pay the ICO.

There are further exemptions when personal information is only processed when being used for:

  • Accounts and records
  • Not-for-profit purposes
  • Advertising and marketing
  • The upkeep of a public register
  • Judicial functions
  • Employee admin

Holding an ICO certificate can further enhance how seriously you take your responsibilities with data processing. Should you be wary of keeping data on-site and its potential for being compromised, speak to Stockroom London. We have secure data management and storage facilities that ensure the risk of breaches in the workplace is not just minimised but removed. With LTO backup services that keep large quantities of data safely stored for years, you can alleviate your concerns about cyber-attacks or data compromises within your business. You may follow GDPR and DPA to the letter but lapses or vulnerabilities can become apparent. Remove that concern with compliant, safe and secure storage with Stockroom London today. Contact us to see how we can keep your vital documents and records safe.

Comments

No comments yet.

Leave a Reply

Your email address will not be published. Required fields are marked *