The Government has announced a new charging structure for data controllers to ensure the continued funding of the Information Commissioner’s Office (ICO).
The new structure was laid before Parliament as a Statutory Instrument and will come into effect on 25 May 2018, to coincide with the General Data Protection Regulation.
Until then, organisations are legally required to pay the current notification fee, unless they are exempt.
Under the 2018 Regulations, organisations that determine the purpose for which personal data is processed (controllers) must pay the ICO a data protection fee unless they are exempt. These fees fund the Office’s data protection work, which includes work under the General Data Protection Regulation (GDPR) and the Data Protection Act (DPA).
The new data protection fee replaces the requirement to ‘notify’ (or register), which is in the Data Protection Act 1998 (the 1998 Act). They will have the power to enforce the 2018 Regulations and to serve monetary penalties on those who refuse to pay their data protection fee.
Although the 2018 Regulations come into effect on 25 May 2018, this doesn’t mean everyone has to pay the new fee on that date. Controllers who have a current registration (or notification) under the 1998 Act do not have to pay the new fee until that registration has expired.
ICO undertakes to email registered organisations six weeks before their registration expires.
How much will the data protection fee be?
There are three different tiers of fee and controllers are expected to pay between £40 and £2,900. The fees are set by Parliament to reflect what it believes is appropriate based on the risks posed by the processing of personal data by controllers.
The tier you fall into depends on:
- how many members of staff you have
- your annual turnover
- whether you are a public authority
- whether you are a charity
Not all controllers must pay a fee. Many can rely on an exemption.
Tier 1 – micro organisations
You have a maximum turnover of £632,000 for your financial year or no more than 10 members of staff. The fee for tier 1 is £40.
Tier 2 – small and medium organisations
You have a maximum turnover of £36 million for your financial year or no more than 250 members of staff. The fee for tier 2 is £60.
Tier 3 – large organisations
If you do not meet the criteria for tier 1 or tier 2, you have to pay the tier 3 fee of £2,900.
Please note that ICO will regard all controllers as eligible to pay a fee in tier 3 unless and until you tell them otherwise.
Charities that are not otherwise subject to an exemption will only be liable to pay the tier 1 fee, regardless of size or turnover. However, the onus will be on you, when you either register or renew your registration, to inform ICO that you have charitable status
The criteria for exemption from fees are currently
- you are only processing data for the purposes of establishing or maintaining membership or support for a body or association not established or conducted for profit, or providing or administering activities for individuals who are members of the body or association or have regular contact with
- you only hold information about individuals whose data you need to process for this exempt purpose
- the personal data you process is restricted to personal information that is necessary for this exempt purpose
Please note that exemption is only from fees – you must still register with ICO as a Data Controller.
More guidance will be available before 25th May and you are advised to check the website regularly