The 1984 Data Protection Act covered only electronic data. Organisations that processed personal data electronically had to register with the Data Protection Registrar. Registration was a crucial stage, because it was the sign that you had to comply with the Data Protection Act. If everything you did was on paper, you were outside the scope of the 1984 Act.
In 1998, things changed. The new DPA, required by the 1995 EU Directive, went further by grabbing personal data held in structured manual files. The Registrar became (briefly) the Data Protection Commissioner and then the Information Commissioner. As the name change implied, the emphasis on registration (renamed notification) diminished, because even if you processed all of your data on paper, it was at least possible that you had to comply with Data Protection because you might hold structured paper files.
Notification is one of the most pedestrian DP activities – it’s a largely mechanical process that many treat as a tick-box exercise, an annual admin job to be done as quickly as possible. When I was a DP officer, the Information Commissioner had to write to local authorities to point out that we were nearly all involved in data matching, but none of us had bothered to add it to our notifications. Notification does have a sting in the tale, because non-notification is a criminal offence. But even this is not that significant – for many organisations it’s an annual bit of admin, and for many others, it’s unnecessary because they are exempt. It has been a surprise, therefore, to see online concern about notification.
The cause is VATMOSS, an online system for paying overseas VAT for small business, named seemingly to sound like a Tom Baker-era Doctor Who villain. I’m no expert on VATMOSS but the idea is that the EU is applying VAT to online businesses including the very smallest, payable in the country where the product is purchased. Small online businesses selling direct will therefore need a method to pay the VAT when selling items in other EU countries and VATMOSS is HMRC’s online method of doing so. I said I wasn’t an expert, but it sounds like a parody of unnecessary EU red tape and a recipe for deterring some little businesses from trading online at all, or at least outside UK, where the existing VAT payment threshold still applies.
As well as the mess of VATMOSS itself, HMRC have added further complexity by talking about Data Protection. VATMOSS requires vendors to retain proof of the customer’s location, and to retain it for 10 years. The HMRC guidance is explicit:
As you have to keep customer records electronically you will need to register as a data controller with the Information Commissioner’s Office (ICO), if you are not already registered. The current cost is £35 per year. The requirement to register is based on your place of business, and not the location of your customers; so you (as a UK business) will only have to register with the ICO in the UK, and not with the equivalent registrar in any other member state.
In one sense, this is true. A business that is wholly paper-based is exempt from notification, and so any online vendor keeping customer details electronically for the first time because of VATMOSS might be captured. However, there are two problems with this – firstly, I don’t believe that an online vendor wouldn’t already have customer details – names, addresses and email addresses for example. This is personal data, and so they would already be in the frame. However, it doesn’t matter whether that is the case. In 2000, regulations were passed under the DPA 1998, fleshing out how notification works. Three broad areas of business processing were exempted from notification, the so-called ‘core purposes’. The idea is that if a business – especially a small business – processes personal data for the most basic reasons, notification is unnecessary. The core purposes are staff administration, marketing & advertising, and accounts & records. It’s important to remember that if such data is held and used electronically (or in structured paper files), the DPA still applies. It’s just that the annual £35 fee and notification process is unnecessary.
I believe that the accounts and records exemption covers VATMOSS. The full text of the exemption is this:
the processing…. is for the purposes of keeping accounts relating to any business or other activity carried on by the data controller, or deciding whether to accept any person as a customer or supplier, or keeping records of purchases, sales or other transactions for the purpose of ensuring that the requisite payments and deliveries are made or services provided by or to the data controller in respect of those transactions, or for the purpose of making financial or management forecasts to assist him in the conduct of any such business or activity
It’s the bit in bold that I think is the winner. The exemption does state that data should not be retained after the customer relationship ends, unless “it is necessary to do so for the exempt purposes“. Online vendors are clearly required to keep VATMOSS information as part of their accounts, so I believe that the exemption applies.
I don’t actually think Data Protection is a problem here at all, at least, not because of VATMOSS. If the General Data Protection Regulation replaces the EU Directive, DPA 1998 disappears and notification vanishes along with it. Not having to notify does nothing to ameliorate the VATMOSS problem itself, and it doesn’t mean that small businesses (online or not) can ignore the Data Protection Act. The eight principles still apply – customer data should be fairly used, accurate, up-to-date and secure, among other things. The exploits of Jala Transport show that small businesses are not immune even from Data Protection enforcement and civil monetary penalties.
However, I’m convinced that HMRC does not know what it is talking about as far as notification is concerned – the paragraph I quote should at least acknowledge the existence of notification exemptions. I am equally convinced that the vast majority of small / micro businesses do not need to notify. Unless the Information Commissioner comes out with a definite statement that they should notify, my strong advice to small and micro-businesses is this: concentrate your time on two things. Firstly, make sure you know what you’re going to do about VATMOSS (I have no idea what that should be). Secondly, keep all of your customers’ data safe and secure, accurate and up-to-date, especially if these new tax rules mean you have to keep the data for ten years. The impact of the DPA on you should be limited, but not having to notify does not mean that it isn’t there.