https://companieshouse.blog.gov.uk/2018/04/18/protecting-you-protecting-us/

GDPR: Protecting you, protecting us

I’m Alex Walters and I’m the data protection officer at Companies House. One of my main responsibilities is making sure Companies House complies with the new General Data Protection Regulation (GDPR).

As an organisation, we’re responsible for the personal data of millions of company officers, and hundreds of staff. As such, our GDPR journey was never going to be a quick and easy one. But, it’s certainly been very interesting.

Our main priority is protecting our customers’ data and information, as well as protecting our own information.

GDPR protecting your data title with cartoon customer profiles.

Our GDPR journey started way back in May 2017. For those who are not aware, the GDPR was passed by the European Union in April 2016 and has a far-reaching impact on data security. It now means, any organisation that does business with EU citizens must comply with the GDPR's expanded and more stringent data protection rules. And, it sets out the lawful way Companies House as an organisation, and its employees, should store and manage data.

The deadline date is 25 May 2018. All organisations, including Companies House, should be compliant by this date.

I’ve learnt some important lessons during our GDPR journey. Firstly, GDPR is new for everyone – not just Companies House. And, it’s taken me time to understand the law and its implications for the public register, and for us as an employer.

Secondly, I’ve learnt the importance of having senior level buy-in from the outset. Providing them with clear and accurate information at the earliest opportunity, means we now have a senior team that really understands the GDPR and its challenges; as well as the opportunities it brings.

Unfortunately, I’ve seen plenty of inaccurate information in the media. There’s been lots of scaremongering around GDPR.  As such, it was important for me to bust the myths, and reassure colleagues that it’s not as scary as they think. It does not mean we need to suddenly get consent for statutory processing, and it does not mean the end of the public register of companies.

Another lesson I’ve learnt, is not to underestimate the size and complexity of the task. I quickly realised that the GDPR requirements are wide-ranging. Recording all the processing of personal data that happens across the organisation was an enormous manual task. It took a lot of time and plenty of debate, but we got there in the end!

Working closely with other executive agencies, especially our sponsor department, BEIS, has helped to establish solutions and agree best practice. I’ve found this teamwork to be extremely useful.

Over the last few months, I’ve been part of a working group with policy and communications colleagues. One of our aims was to increase GDPR awareness, and the actions needed to comply as an organisation. Together, we developed a fantastic campaign involving bright colours, retro characters and memorable messages.

The 5 key messages of the campaign are:

  • everyone is responsible for protecting personal data
  • spend time ‘housekeeping’
  • know how to recognise and report security incidents
  • know how to recognise GDPR requests and who to notify
  • help Companies House remain compliant through good information management
Image of our GDPR campaign banners.
Our GDPR campaign banners featuring retro characters and important messages.

We held a GDPR information event for staff in January 2018, which coincided with International Data Protection Day. All Companies House staff were invited to find out more about the campaign, and how the new GDPR affects their teams.

The campaign itself launched on 21 March and was extremely well-received, with many departments and individuals requesting further information. The information rights team will now begin a Companies House ‘tour’, attending team meetings across the organisation to continue to support and reinforce these GDPR messages.

So, in summary. The GDPR law is complex, wide-ranging and brand new. But, the team and I will continue to embed its principles into our everyday work – protecting you, our customers, and protecting us.

Help make Companies House better: complete our survey and enter a free draw to win an iPad Pro.

To keep in touch, sign up to email updates from this blog, or follow us on Twitter.

50 comments

  1. Comment by Ron posted on

    This post is dishonest. Pre and post GDPR, there will be no fundamental difference to how data is "protected" by Companies House because none of the data is protected. All company director PII data and all related information is made public in such a way that it is regularly indexed by all search engines, can be scrapped completely by any third party aggregation site from anywhere in the world, can be used by Facebook to create profiles (I found mine) and by any other social media outlet if they wanted to. This data can be moved to any country outside of the EU and by any party that wants to use it. There is no control by the individual on how any of their PII data is used (which includes date of birth and home address). Companies should definitely not use this article as a way to implement GDPR.

    What does this mean to anyone who is/was a company director? It means that their data is exempt from the protections of GDPR (and also are not covered by any of the EU Data Privacy directives). Third Party Websites that hold this data are under no obligation to remove it on your request.

    I think Companies House needs to be honest in its use of the words "protecting you", because there has never been any attempt to protect the data that they hold or provide the individuals any way of protecting themselves.

    GDPR regulations for Companies House is only to protect its own employees data.

    • Replies to Ron>

      Comment by Alex Walters posted on

      Hi Ron, protecting data, for us, means complying with the GDPR which we will be doing. It also means being transparent with our customers about what we're doing with their data, which we're also doing. Whilst we can't stop producing a public register, we can help customers understand what we do with their data, and ensure that our systems and processes are fully compliant.

      • Replies to Alex Walters>

        Comment by Kenneth Tombs posted on

        While I would go with Ron's comments as a reflection of how many executives listed at Companies House feel, yet directors are special people with legal commitments and behaviours they must keep. A public register exists for a good reason, to stop fraud and malpractice meaning GDPR must not be a shield to hide behind. GDPR wont stop people scraping directors data to make money from, what it will do is make it illegal when they get caught having no legitimate purpose for doing so. Hopefully CH has listened to concerns about home addresses and we'll see that side of things followed through.

        • Replies to Kenneth Tombs>

          Comment by Ron posted on

          Kenneth, I agree that executives of companies have special legal commitments, but that does not mean that they should be excluded from what are deemed the rights for EU citizens. They are not criminals that need to be displayed in a database for public review.

          The company books and how it trades are public and I agree they should be. What shouldn't be public is the personal information for people that choose to create these companies. Companies House collects this information and stores it already; people aren't creating companies anonymously. How is the public protected from company fraud by displaying the date of birth, home address and nationality of a director on the internet? What about fraud committed against directors? The Financial Times has reported last year that company directors are twice as likely as others to be victims of identity theft and have attributed this to the Companies House registry.

          Having this data public means no one can be prosecuted for scraping this data or using it. Companies House has gone beyond just having a site with a searchable registry; it's designed it to be scrapped and indexed by search engines all over the world (i.e. Google, Bing, Yahoo, Baidu, etc) and also allows the database to be replicated by aggregation sites. This is not something that was required by law.

  2. Comment by Eva posted on

    I have not given consent to Companies House to make my personal details available on the internet, such as month/year of birth (as Director). This is personal information and should not be disclosed online.

    • Replies to Eva>

      Comment by Alex Walters posted on

      The registrar does not rely on consent when making your personal data available on the public register. Consent is just one of a number of legal bases available. In the context of the public register, the registrar makes information about officers available because she has a legal obligation to do so. As a result, she does not need to obtain the consent of every officer that appears on the public register.

      • Replies to Alex Walters>

        Comment by Richard posted on

        Thank you Alex,

        I question how many other EU members publish information about directors' names, addresses and dates of birth on a public register which can be accessed anonymously for free?

        Fundamentally the GDPR legislation was to standardise data protection law.

        Would it be appropriate for Companies to House to state that it cannot apply GDPR to elements of its register - those elements being the PII, and perhaps stating some information could be out of date.

      • Replies to Alex Walters>

        Comment by Gabriel posted on

        Well if you don't ask consent you are clearly breaking the new law. Government bodies are also subjects of the law.

  3. Comment by Ron posted on

    Thanks Alex. However, the main aim of GDPR is to give greater protection and rights to individuals. That is what all the EU data privacy laws have attempted to do. It's also about how personally identifiable data (which include data of birth, address, nationality, etc) is moved within and outside of the EU.

    Since this personal data is available to anyone within and outside of the EU and Companies House has no way of knowing who requested the data, then effectively there are no protections for individuals who are in this database. Any company or individual who breaches my personal data can say that they got the information about me from this site which holds public data. There is no way of tracking how they came across that information. The reality for me becomes that people in this database (over 3 millions people - most of which are for dissolved companies) have lost this basic data protection right.

    The headline and content for this article suggesting that my personal data is being protected by Companies House is dishonest. I cannot control to not have my date of birth, home address or nationality (my personal data) not displayed (for a dissolved company).

    • Replies to Ron>

      Comment by carol posted on

      I have had my identity stolen twice with data being taken from Companies House. They have now taken away the day of birth but I am still sceptical.

  4. Comment by Fiona posted on

    Hi - my directors are keen to have their home addresses removed from the Companies House database where they resigned many years ago - on the basis that this information no longer needs to be kept.

    I understand that this functionality will be available at Companies House shortly, but I can't find it on the website. Are you able to send me a link to this? Thanks

  5. Comment by Ageism Victim struggling to find work posted on

    Why is it necessary to publish Director's date of birth for the general public to see?

    • Replies to Ageism Victim struggling to find work>

      Comment by Alex Walters posted on

      A director’s date of birth is a piece of personal data that is required, by law, to be provided for the public register. Changes to the Companies Act mean that the ‘day’ of the date of birth is no longer made publicly available. In terms of age discrimination, the Government has recognised that this is a serious problem and has introduced legislation to deal with it, which is now part of the Equalities Act 2010. Anybody who believes they have lost employment opportunities because of age discrimination, should take legal advice to see what legal avenues are open to them.

      • Replies to Alex Walters>

        Comment by Ron posted on

        Alex, how would anyone know they were discriminated against by age? A simple search on Google means that the employee can reject the applicant based on age even before getting to the interview stage. This just creates the opportunity for hidden discrimination that can never be proven.

        • Replies to Ron>

          Comment by Alex Walters posted on

          We understand your concerns, but as set out above the Companies Act requires the registrar to collect and publish the month and year of birth of certain officers.

          • Replies to Alex Walters>

            Comment by Matt adams posted on

            Alex - I understand the legal basis companies house has in collecting this data and adding this to a register that can be accessible and the reasoning behind that... however, that legal basis is very different to allowing bulk harvesting. Knowingly allowing search engines with servers outside of the EU (any technically able person) to harvest and republish that PII has to be neglecting companies house responsibilitiblies?

      • Replies to Alex Walters>

        Comment by Stephen posted on

        Alex,

        I know it's the law that a director's personal data is publicly available, but what's the reasoning behind this law?

    • Replies to Ageism Victim struggling to find work>

      Comment by Bob posted on

      Age is important to identify directors. I have needed to tell the difference between two directors with the same name. eg.....

      Mr John Smith
      Mr John Smith

      is not as much use as

      Mr John Smith 61
      Mr John Smith 23

      • Replies to Bob>

        Comment by Ron posted on

        Every director has a unique director ID. This is used to identify directors. That ID should not change during the lifetime of a director and should be the key to list all companies a director is/has been a part of. This is much more accurate and an easier way of finding a director then relying on date of birth and name combination.

        Why would you be looking to identify a director by name only. I'm sure you would need to know the company name as well? Also, how are you going to validate the age of the director? Will you be visiting them to see how old they look or are you going to call and ask for their date of birth to make sure it matches up to the one in Companies House? If anyone called me asking for my date of birth, I would not give them that information.

  6. Comment by Tony Jenkin Jones posted on

    Why do you have to publish my data as a Director publicly? By doing so you are breaching my right to privacy.

    • Replies to Tony Jenkin Jones>

      Comment by Alex Walters posted on

      The registrar is obliged by the Companies Act to make the personal data on the public register available for inspection. She is entitled to rely on an exemption from much of the Data Protection Act 1998 (and, in future, much of the GDPR) due to the fact that she is required by law to make this information available.

  7. Comment by Richard posted on

    I don't see why a date of birth needs to be public information. Surely this is one item that can be removed from the public register?

  8. Comment by Emma posted on

    As both a director and secretary of a non-trading company, I do not want my date of birth published for all to see. I googled my own name recently and my full name, date of birth, and address are there for all to see because I am listed at Companies House in relation to a dormant company. How can I have this sort of personal information removed?

    • Replies to Emma>

      Comment by Alex Walters posted on

      Company information – including information relating to officers of the company – remains on the public record for the lifetime of the company and for 20 years after a company is dissolved. This is useful information for anyone looking to do business with, or search the credit history of, companies and individuals. The fact that a company is dormant makes no difference to the registrar’s legal requirement to make this information available.

      The government has recently made some changes to the law to allow individuals to suppress their residential addresses:

      https://www.gov.uk/government/news/new-laws-to-protect-your-home-address-at-companies-house

  9. Comment by Rosa posted on

    Absolutely agree with all above questions.

  10. Comment by Fo posted on

    Last week, I was browsing internet but I was shocked to see my personal data is available publically. There was a note that anyone copy and use it as they want. This includes date of birth, address, PSC, ICO certificate and all information about me.
    Previously, someone used my personal details and signed a phone contract. I am still struggling to convince mobile company that my details have been used by someone else. But they want me to pay them money. I called to CH about hiding my details publically but operator told me it is not possible.

    Directors or people involved in company are also citizens/residents of this country. Their privacy must be respected and they also have rights. The GDPR is making us more vulnerable and putting us at identity theft.

    Date of birth is private and is used to identify individual according to data protection act. But with GDPR, when all information are public, then anyone can use it to do anything...can apply for loan or in any fraudulent or criminal activity. Before implementing GDPR, our reservations must be listened and resolved. It is also unfair to pay £55 to remove address. It is too much fee.
    Thanks

  11. Comment by Fred posted on

    Why are 10 year old dormant companies still displaying all director information. Surely there is a cut off time period that people can get peace from being hounded by having their personal data out in the wild.

    • Replies to Fred>

      Comment by Alex Walters posted on

      As explained above, company information – including information relating to officers of the company – remains on the public record for the lifetime of the company and for 20 years after a company is dissolved. This is useful information for anyone looking to do business with, or search the credit history of, companies and individuals. The fact that a company is dormant makes no difference to the registrar’s legal requirement to make this information available.

  12. Comment by M H posted on

    My boss persuaded me against my inclination to become company secretary some years ago. I thankfully retired from that position in 2008 but my full details are still available for everyone to see. The annoying "Catch 22" aspect to this is that if I had given the company address instead of my own while I was in office that would have been better for me. I find now that retired officers can no longer change their address in this way.
    This is all even more annoying in light of all the fiddly stuff we have to take on board for GDPR.
    Following a Link on this page, I see that it might be possible in future for me to remove most of my address from the record except for part of the postcode (still not ideal). For this boon I would have to pay £55!

  13. Comment by Audrey posted on

    The GDPR gives people the right to be forgotten. Whilst it is appreciated that companies house is bound by law to hold and even publish a register of directors I would like to believe that this fundamental principal can be
    implemented. I find it disturbing to find my personal data is still showing on Companies House register and as others have stated this will then show up in the various search engines when I resigned my position 18 years ago. Whilst I have had no dealings with that or any other company for a considerable amount of time my personal data is still available for anyone to use. Surely I have the right to be forgotten?

    • Replies to Audrey>

      Comment by Alex Walters posted on

      The right to be forgotten only applies in certain circumstances (Article 17 GDPR) and does not apply where processing is necessary for compliance with a legal obligation. It is therefore unlikely that the registrar will be able to comply with a request to be forgotten, as she is legally obliged to make this information publicly available.

  14. Comment by Bill posted on

    Companies House also makes available PDFs of older documents that required signatures! Utter madness. An absolute gift for fraudsters.

    All those documents should be withheld or at the very least all the personal identifying data and the signatures redacted. Should not be too hard as all the documents have a set format, so could be scanned and sensitive data boxes automatically blanked.

    • Replies to Bill>

      Comment by Dundee posted on

      Hello dear people in this forum.
      You, the people who experience it unreasonably.
      I experience it as a very good means to obtain information about companies that are completely ilegally busy, the so-called boiler rooms, or scam traders, that advertise themselves as registered with the bank, (so that you can deposit your complaints there). an example of this is "Company Information
      BinaryTilt is owned and operated by Chemmi Holdings Limited (company number: 9870892), this is the number of Companies House registration that they are pressuring to make sure everything is in order, so they use Companies House to conduct their practices, how is that for Companies House, they are also used, so they can do if they are legally engaged with their syndicate. Their current president is Sir, DENYS KOLOSOVYCH since 2018, but if you send him a registered letter to his office, he comes back because it a fake address.
      I am glad that this site is there, if you are transparent you have nothing to fear.
      Regards

  15. Comment by Fleur posted on

    It is disgusting that people's date of births are made so public without their consent. Not only is this dangerous due to identity fraud it is personal information that a person should have control over how it is publicised. This needs to change ASAP.

  16. Comment by Nomyrena posted on

    Alex Walters posted onon 25 April 2018
    Hi Ron, protecting data, for us, means complying with the GDPR which we will be doing. It also means being transparent with our customers about what we're doing with their data, which we're also doing. Whilst we can't stop producing a public register, we can help customers understand what we do with their data, and ensure that our systems and processes are fully compliant.

    My Question: Can anyone see Double Standards here? Why “Protecting” should mean one thing for one body and another thing for another body? Protecting personal information is just that – Not making it public isn’t it ? You cannot protect it in any other way. You should not be able to interpret a law how it suits you.

    Alex Walters posted onon 30 April 2018
    The registrar does not rely on consent when making your personal data available on the public register. Consent is just one of a number of legal bases available. In the context of the public register, the registrar makes information about officers available because she has a legal obligation to do so. As a result, she does not need to obtain the consent of every officer that appears on the public register.

    My Questions: a) What piece of legislation makes it mandatory for the registrar to make the personal data of the officers public b) What can we do to change this law c) What’s the reasoning behind the necessity to make the personal information (address, month and year of birth) public

    Alex Walters posted onon 01 May 2018
    A director’s date of birth is a piece of personal data that is required, by law, to be provided for the public register. Changes to the Companies Act mean that the ‘day’ of the date of birth is no longer made publicly available. In terms of age discrimination, the Government has recognised that this is a serious problem and has introduced legislation to deal with it, which is now part of the Equalities Act 2010. Anybody who believes they have lost employment opportunities because of age discrimination, should take legal advice to see what legal avenues are open to them.

    My questions: Is publishing personal data constitute another “Serious Problem” waiting to be recognised by the government? Why the “date of the birth” has been recognised as being a serious problem, but “full address”, “right to be forgotten” hasn’t been recognised as being a serious problem?

  17. Comment by Ali Asgur posted on

    On the Companies House website there exist mortgage deeds with the names, addresses and signatures of those that witnessed the document being signed. The witnesses at no point consented to me, the lender or to Companies House that their details be published. Surely this constitutes a breach of personal information and if so who is liable?

  18. Comment by DC posted on

    Agree with many of these comments. As an ex-Director of a company, a position I resigned from 10 years ago, I am disturbed that my full name, date of birth and email address are available for anyone to find with a quick Google / Bing etc search. Its unfair and discriminatory, and makes me feel vulnerable, not only to fraud, but with regards to my personal safety.

    • Replies to DC>

      Comment by Alex Walters posted on

      Please see our comments above on the fact that the registrar has a legal obligation to make this information available. We do note that you’ve said your email address is publicly available. There is no requirement in law for this information to be on the register, so please email dpo@companieshouse.gov.uk with any concerns of this nature.

  19. Comment by Nicola posted on

    I have recently been a victim of stalking !
    He can easily access my home address from Companies House and I will have to jump through hoops to get it hidden.

    Surely GDPR should cover us and all directors addresses should be the registered office not the home address ?

    As of today I’m terrified

  20. Comment by Ivan posted on

    Personally I think there should be more done to protect company directors and secretaries personal data. At least have people who wish to look up company directors; sign up, give their own full name, date of birth and home address and possibly even pay a small sum. This would hopefully deter all the fraudulent people out there and also allow innocent victims of identity theft more information to give the police via companies house.

  21. Comment by Concerned posted on

    I found out Company House shows my signature so it could be copied by anyone. Accounts and forms I have signed are shown on the website and you are allowing other websites to copy these forms and display them all over the web. Why are you not hiding the signatures before making the forms public?

  22. Comment by Ian posted on

    I am a Director, Co Secretary and an ex-trustee of a charity. All of my details since being a director etc. can be seen since 1990 can be seen on the Companies House website. However, none of my details can be seen on the Charity Commission website!
    Why is it possible for Charity Commission? Surely there should be one set of rules!
    I am not against my details being available in a very basic form but certainly not for general free access to all - if it was only available for a fee then that would probably stop most corrupt organisations from getting information.

  23. Comment by Karen posted on

    Rather than have all the information freely and easily available to anyone who does a quick search on the Internet, it would be fairer to directors if people wanting the information had to make an effort to complete and submit a request form via the website, stating who they are and why they require the information. The information is still there, still freely available, but people would need a reason to see it. At least it would mean that a director's name and all his or her personal details won't come up on page one of Google upon a simple search of a his or her name by someone just being nosey.

  24. Comment by Linda posted on

    You should remove the personal information from appearing in public search engines and third party websites at the very least. It's very easy for someone in any place of the world (including dangerous countries!) to do identity theft. Why is this not even a concern for the government?

  25. Comment by Bill posted on

    Lots of documents and accounts on Companies House website are signed. Why has Companies House has not replied to any of the questions about why they are not masking signatures on these documents to prevent fraud?

  26. Comment by BW posted on

    Alex Walters, as the Data Protection Officer for Companies House you say "any organisation that does business with EU citizens must comply" with GDPR.

    Doesn't the requirement to comply with GDPR come about because Companies House (or any organisation) is operating within the EU, not because it handles the data of EU citizens. Putting the emphasis on EU citizens would exclude non-EU citizens and I am not sure that would be correct.

    Article 3(1) seeks to apply GDPR when an organisation is established in the EU and the EU Commission has made a statement that such organisations should respect the principles of GDPR “whatever the nationality or residence” of a data subject.

    There is a lot of misunderstanding and confusion about GDPR so as you are responsible for Companies House GDPR compliance can I ask you if you agree that non-EU citizens data held within the EU is also covered by GDPR?

  27. Comment by Jonathan Moyle posted on

    Due to the volume and complexity of your comments, we’re not able to reply in full to all queries on this blog.

    For a detailed response, please write to our policy team at enquiries@companieshouse.gov.uk.

    Thank you.