A firm has been fined £4,500 for processing personal data without registering with the UK’s data protection watchdog and failing to comply with the body’s missives.
Noble Design and Build, which operates CCTV systems across buildings in Sheffield, was yesterday convicted in their absence at Telford Magistrate’s Court, for data protection breaches.
Under the Data Protection Act 1998, businesses that processed personal data need to register with the Information Commissioner’s Office, but Noble Design and Build failed to do so.
It was pulled up on this in September 2017, when it was also told to ensure that it had the appropriate signage in place to alert people to the fact CCTV was in use.
The business failed to take any heed of two further reminders, as well as an information notice – which compels companies to comply with the ICO’s orders – and so ended up in court.
It was fined £2,000 for failing to comply with the information notice and £2,500 for failing to register with the ICO, on top of which it was ordered to pay costs of 3364.08 and a victim surcharge of £170.
Noble Design and Build was charged under the 1998 Data Protection Act because that’s when the offence took place, even though it has been superseded by the Data Protection Act 2018, which received royal assent in May.
This does not require the same formal notification process, but does introduce a new fee structure – and failure to do so can result in a fixed penalty.
The update also saw payments for organisations in the top tier rise from £500 to £2,900 – part of the government’s bid to ensure the ICO has enough cash in its coffers to function.
Small organisations (maximum turnover of £632,000 or no more than 10 staff) will pay £40 a year, while SMEs (maximum turnover of £36m or no more than 250 employees) will pay £60. Previously those with a turnover of up to £25.9m and less than 250 staff members paid up £35.
However, the government launched a consultation (PDF) to decide whether to set new exemptions or scrap existing ones, which include for organisations that process data for only one “core business” purpose – such as staff administration – and some not-for-profit bodies.
The deadline for this consultation is 1 August. ®