Currently, with few exceptions, it is manditory that if a business handles personal information (e.g. client or supplier names, staff records) then it must register as a Data Controller with the ICO. In effect, this is criminalising hundreds of thousands of directors of companies who do not realise they must register.
Data Controller registration makes no difference to how most businesses approach Information Security and so the legislation fails to meet its objectives e.g. registering as a Data Controller did not prevent HMRC famously loosing the disk of personal data.
The ICO publishes an online database of registered Data Controllers which is typically out of date from a few weeks to a few months. The database is meant to provide people with a blunt idea of how a company is using their personal data. In reality, a common use made of the database is by disgruntled employees or customers who seek to extort money from companies who have not complied with the legislation by registering. The actual registation in the database has no real value to businesses or data subjects in fact the costs exceed the benefits.
If you do not believe me about that this is the common use of the database then call the ICO helpline who confirmed it to me. I have advised my own clients to pursue companies in compensation negotitations for a company failing to comply and have also worked in several companies fighting off a range of dismissed and disciplined employees who exploit the Data Protection process for financial gain.
Registering as a Data Controller is a significant burden to very small companies – it can take around a day to get to grips with what is required, to make the application and then there is the continual annual administration required of the direct debit. It makes no difference to the approach to Information Secuirty for most companies.
For larger companies, the Boards do not understand the legislation and over-react in terms of the legal fees on registrations and compliance. There is a multi-million pound business around complying with the legislation, together with embeded costs within businesses, which makes no improvement to Information Security — the approach being taken is to show how the current business processes justify that the business complies with the legislation which can require significant legal efforts.
The annual data protection registation fee (£35 per year or more depending on the business) and the bureacracy around it is an administrative burden which is being used to support a process which does deliver value for money.
Some companies will continue to want to voluntarily register as Data Controllers if the option is available for marketing e.g. to show credibility to customers and employees. But this is a choice for companies not the state to make. The ICO should be expected to sell registrations as a private company would have to. Currently they are protected by the state from ensuring the process adds value which has resulted in a non-added value process.