GDPR puts an end to data controller registration but fees are to remain!
The requirement to notify is gone, but you still need to pay fees to the ICO.
What does notification mean?
Under the Data Protection Act 1998 (DPA), personal data must not be processed unless the data controller has registered with the ICO – this is of course subject to a few exemptions.
Currently, registration includes not only the name and address of the controller but also includes the following information:
- the name and address of any representative of the data controller;
- a description of the personal data being processed or to be processed including the categories of individuals to which that personal data relates;
- the purposes for which the personal data is being processed;
- details of any third party recipients that the data controller intends to disclose the personal data to; and
- the details of any country that the data controller intends to transfer personal data to where that country is outside of the EEA.
With notification comes a notification fee; and the current amount due is either £35 or £500 taking into account: (i) the number of employees; and (ii) the turnover of the organisation.
What are the notification requirements under the GDPR?
Notification requirements are now set to change under the GDPR; as it requires that indiscriminate general notifications must be abolished and replaced by policies and procedures which focus on the processing of personal data that is likely to result in high risk to the rights and freedoms of the data subjects themselves.
The ICO has already established that organisations will no longer be required to notify the ICO under the GDPR.
However, please be mindful that due to the overarching “accountability” principle enshrined in the GDPR, most controllers are required to hold internal records noting what would otherwise have been recorded on its notification. These will be live documents and will require to be kept up-to-date and must include the details noted above for notification under the DPA, with a couple of additional requirements such as:
- a requirement to record, where possible, the envisaged lime limits for deletion of different types of data; and
- where possible, a record of the security measures in place to protect an individual’s personal data.
Furthermore, these recording obligations are not limited to controllers and now also extend to processors who also have to maintain and keep records of all processing activities.
Notification gone, but notification fees are here to stay?
The ICO has announced that controllers will still be required to pay a fee even though there is now no requirement to notify them. See the ICO’s blog.
This new fee mechanism has been brought about by the arrival of the Digital Economy Act 2016 which came into force this year. This legislation introduces a three tier system that takes into account (i) the size of the organisation (ii) the amount of data processed; and (iii) the relative risk which results from the organisation’s processing activities. This same tier system is being proposed by the ICO; however, the precise fees are still to be determined.
The exemptions in place under the current system are likely to apply to the new system but this is still to be confirmed.
What does this mean for you?
The new fee model will have effect from 1 April 2018 and so your organisation must still notify the ICO of your processing activities (or renew notifications) as usual until the new regime comes into play next year. And remember – non-compliance with the notification requirement is a criminal offence!