Some of our members have contacted us recently after receiving what they thought were hoax e-mails from the Information Commissioner’s Office (ICO)
Whilst we have no doubt that such e-mails may well be doing the rounds, it is important to note that, after the new Data Protection Regulations were introduced by ICO in May last year, they have changed the way that they charge for registration, and your e-mail may well be genuine.
If you were previously registered, you will receive an e-mail reminder from the Commission a few weeks before your renewal date, reminding you to renew, and also to pay the new fee.
If you have any doubts about the legitimacy of an e-mail you have received from ICO, call them on 0303 123 1113, or email firstname.lastname@example.org. You’ll need your reference and your security number, which were sent to you when you first applied.
As a reminder of the changes:
On 25 May 2018, the Data Protection (Charges and Information) Regulations 2018 (the 2018 Regulations) came into force, changing the way the Information Commissioner’s Office funds its data protection work.
Under the 2018 Regulations, organisations that class themselves as data controllers must pay a data protection fee unless they are exempt.
The new data protection fee replaces the requirement to ‘notify’ or register, which was in the Data Protection Act 1998 (the 1998 Act).
Although the 2018 Regulations came into effect on 25 May 2018, this doesn’t mean everyone now has to pay the new fee. Controllers who have a current registration (or notification) under the 1998 Act do not have to pay the new fee until that registration has expired.
Controllers who have a current registration (or notification) under the DPA 1998 do not have to pay the new fee until that registration has expired.
How much is the data protection fee?
There are three different tiers of fee and controllers are expected to pay between £40 and £2,900. The fees are set by Parliament to reflect what it believes is appropriate based on the risks posed by the processing of personal data by controllers. The tier you fall into depends on:
- how many members of staff you have
- your annual turnover
- whether you are a public authority
- whether you are a charity
- whether you are a small occupational pension scheme.
Not all controllers must pay a fee. Many can rely on an exemption
If you currently have a registration (or notification) under the DPA 1998, you will not need to pay the new data protection fee until your registration expires. ICO will write to you before this happens, to remind you it is about to expire and to explain what you need to do next. If you are already registered, they will decide what tier you are in based on the information they have. If you think they are wrong, contact them using the details above to discuss it
If you aren’t currently registered because your registration has recently expired, they will regard you as eligible to pay a fee in tier 3 unless and until you tell them otherwise.
If you are paying for the first time you will need to give us certain information such as the name of your organisation, the best way to contact you and the fee tier you think you fall into. The quickest way to do this is online here.
What happens if I don’t pay my fee?
ICO will send you a reminder explaining when you need to pay. If you don’t pay, or tell them why you are no longer required to pay a fee, they will issue a notice of intent 14 days after expiry. You will have 21 days to pay or make representations. If you do not pay or fail to notify them that you no longer need to pay, you may be issued with a fine of up to £4,350 (150% of the top tier fee.)