RCHM Standard Operating Procedure
ICO Registration and Data Protection Oversight

Version: 1.0
Owner: CEO
Governance Lead: Data Protection Director (nominated by Council – TBC)
Operational Lead: Operations Manager
Review Cycle: Annual

1. Purpose

To set out the responsibilities and administrative requirements for maintaining the RCHM’s registration with the Information Commissioner’s Office (ICO) and overseeing data protection compliance, including the management of data breaches.

This SOP sits alongside the RCHM Data Protection Policy.

2. Scope

This SOP covers all personal data processed by the RCHM in relation to:

  • Membership

  • Graduates

  • Applicants

  • Public communications

  • Events

  • Finance

  • Governance

  • Partnerships

It does not cover staff-only HR data.

3. Roles and Responsibilities

Data Protection Director

  • Holds governance-level responsibility for data protection.

  • Receives annual assurance.

  • Signs off the annual renewal.

  • Oversees breach management decisions.

  • Reports to Council.

CEO

  • Provides organisational oversight.

  • Ensures the Operations Manager has sufficient capacity to undertake the required tasks.

  • Supports breach management and communication.

Operations Manager

  • Acts as operational lead.

  • Maintains the ICO registration.

  • Completes annual renewals.

  • Keeps records of data processing systems.

  • Coordinates initial responses to any breaches.

4. Tasks

Initial Registration

  • Complete the initial ICO registration.

  • Save the certificate internally.

  • Log the renewal date.

Annual Renewal

  • Review the renewal notice.

  • Check organisational details for accuracy.

  • Pay the renewal fee.

  • Update internal records.

  • Present the renewed certificate to the Data Protection Director.

Routine Administration

  • Maintain an up-to-date register of systems storing personal data.

  • Review processing activities annually.

  • Identify any organisational changes that require an update to the ICO record.

Compliance Monitoring

  • Ensure password controls and access permissions are maintained.

  • Keep a short log of concerns or minor incidents.

  • Support the CEO in preparing the annual governance statement for Council.

5. Data Breaches

The Operations Manager will:

  • Contain the breach.

  • Assess the risk.

  • Inform the CEO and Data Protection Director within 24 hours.

If notification is required, the CEO and Data Protection Director will approve the report before it is submitted to the ICO.

All breaches will be recorded internally, together with corrective actions taken.

6. Timetable

Monthly

  • Review systems and note any issues.

Quarterly

  • Review access permissions and system integrity.

Annually

  • Complete ICO renewal.

  • Update records.

  • Provide assurance to the Data Protection Director and Council.

As required

  • Respond to breaches or changes in data processing.

7. Administrative Load

Routine administration requires approximately three hours per year. Significant additional time will only be required in the event of a breach.

8. Review

This SOP will be reviewed annually by the CEO, Data Protection Director and Operations Manager.

Any proposed amendments will be submitted to Council for approval.