Data protection – ICO mailing campaign

One of our clients recently asked this ‘easy’ question.



“We are a limited company but the firm is 100% owned by a holding company.  We have received a letter from the ICO asking us to register the holding company.

Does the holding company need to register – it will not be controlling or processing data?”

While the question is undoubtedly easy, the answer is not so straightforward!

Whether the holding company needs to be registered or not depends entirely on whether they process personal information.

‘Processing’ means doing any of the following with the information:

  • obtaining it;
  • recording it;
  • storing it;
  • updating it; and
  • sharing it

‘Personal information’ means any detail about a living individual that can be used on its own, or with other data, to identify them. So, in order to identify whether the firm needs to register, first it is necessary for the firm  to assess whether it is in fact undertaking any of the processing actions listed above. If not then the holding company does not need to be registered but would certainly need to inform the ICO that they do not intend to register and on what grounds.

Why is the ICO writing to firms?

This all stems from a mass mailing exercise that the ICO embarked upon in December 2019. You can read about it here.

This page includes a link to a ‘form’ that enables companies to advise why they believe they are exempt. The exemptions are listed in the Data Protection Act 2018 schedule.

In the case of a holding company, clause 2f is the most likely candidate for justifying an exemption:

“subject to sub-paragraph (4), for the purposes of—

(i)keeping accounts, or records of purchases, sales or other transactions

(ii)deciding whether to accept any person as a customer or supplier, or

(iii)making financial or financial management forecasts, in relation to any activity carried on by the data controller”

The problem is that the ICO’s page says “if you hold personal information for business purposes on any electronic device…it is likely an annual fee payment is due”. It is not clear what this is based upon as it could be argued that it effectively negates many of the exemptions.

Action required

So the firm has two options:

  • either inform the ICO that they are claiming exemption or
  • pay the fee and be done with it

Many firms in a similar position might well decide to simply register and pay the fee. This could be a pragmatic and sensible response as failure to pay the fee in circumstances where no exemption applies can lead to a penalty of up to £4350.

Important Note: ATEB news is intended to provide general information ONLY. The content, including any views expressed or guidance provided, does not replace the need to comply fully with FCA Rules and Guidance. Unless you have discussed news article content with ATEB, and specifically how it relates to your circumstances, then ATEB disclaims all liability and responsibility and actions arising from any reliance placed upon it. For the avoidance of doubt therefore, any reliance you place on such information without our consultation is at your own risk.

ATEB Compliance offers compliance and regulatory advice.

ATEB Suitability provides report writing software for the financial services market.

Our View

For information.

Action Required By You

For information.
SUIT - Beautiful Reports
SUIT - Complete Control
SUIT - Comp confidence
previous arrow
next arrow

About the Author

Shirley has a wealth of industry experience and proven track record of working closely with firms to deliver high quality compliance and T&C solutions across a wide range of regulatory disciplines.

Contact Us

Brought to you by

Explore more articles in this category

Other articles that you might be interested in