Who needs to register with ICO? It is a question that has caused some confusion. Many believe that it is only data controllers that need to. However, as we shall see, data processors must also register.

What is a data controller?

Typically, if you decide ‘why’ and ‘how’ personal data should be processed, then you are a data controller. This ICO checklist should help you understand if you are or not:

  • Have you decided to collect or process personal data?
  • Did you decide what the purpose or outcome of the processing was to be?
  • Was the type of personal data to be collected decided upon by you?
  • Did you decide which individuals to collect personal data about?
  • When processing personal data, do you benefit commercially or otherwise?*
  • Do you process personal data because you have a contract with the data subject?
  • Are the data subjects your employees?
  • Are decisions about the individuals concerned made due to the result of the processing?
  • Do you exercise professional judgement in the processing of personal data?
  • Is there a direct relationship in place with the data subjects?
  • Do you have complete autonomy over how the data is processed?
  • Have you appointed the processors to process personal data on your behalf?

The more ‘yes’ answers given, then the more likely you are to fall within the data controller category.

*Except for any payment for services from another controller.

There is also a checklist to see if you are a joint controller. As before, more ‘yes’ answers will indicate that you are:

  • Do you have a common objective with others with regard to the processing?
  • Are you processing personal data for the same reason as another controller?
  • Do you use personal data from the same database as another controller?
  • Have you designed a process with another?
  • Are there common information management rules with another controller?

What is a data processor?

If you process data received from a data controller, then you are a data processor. Typically, data processors neither own nor control the data – use the following checklist if you are in doubt:

  • When processing data, are you simply following instructions?
  • Were you given the data or told what data to collect by a customer or third party?
  • Do you decide to collect personal data from individuals?
  • Are you responsible for deciding what data should be collected?
  • Do you decide upon the lawful basis for using the data?
  • Are you responsible for deciding the purpose/s data will be used for?
  • Does it fall to you to decide whether or not to disclose data and to whom?
  • Do you choose how long to retain the data?
  • Are decisions on how data is processed made under a third-party contract?
  • Does the end result of the processing interest you?


The Information Commissioner’s Office is the UK’s independent body for the upholding of information rights in the public interest. In accordance with the Data Protection (Charges and Information) Regulations 2018, any organisation that processes personal information must pay a fee to the ICO. If they fail to do so then a fixed penalty is in place, unless they are exempt. There are currently more than 1 million fee payers and you can check to see if you should pay by using this link. You can also use this Gov link to register with ICO and pay the fee.

Who needs to register with ICO?

Any organisation processing personal information, including both controllers and processors of data.

Data protection officer (DPO)

You must appoint a DPO as either a data controller or a data processor. Under the UK GDPR, you must appoint a DPO if you are a public authority or body. You must do so if your core activities involve “the regular and systematic monitoring of individuals” on a large scale. You are also required to appoint a DPO if your core activities include the “large scale processing of special categories of data or data relating to criminal convictions and offences.”

The ICO website reveals more about this but if you require more guidance, feel free to contact us. The bottom line is that you need a DPO if you are handling large quantities of personal data. CRIBB provides a DPO service for those who do not have the internal resources to facilitate this important role. Taking this step not only demonstrates compliance but more importantly it also offers peace of mind to those whose data you are handling. Read more about appointing a DPO in the post-Brexit world.

And finally…

CRIBB Cyber Security turns 5 this month

That’s right, your favourite certification body is 5! To celebrate, we are offering a free, 1-hour cyber risk consultation. Contact us now to take advantage of this special offer and to take huge steps towards cyber resilience…