The new data protection fee – ICO cracks down on non-payment!

The Information Commissioner’s Office (ICO) has recently issued 34 enforcement notices to organisations who have failed to pay the new data protection fee under the GDPR and Data Protection Act 2018 (DPA 2018). We understand that more such enforcement notices are to follow soon.

These enforcement notices serve as a reminder to organisations that the ICO is taking GDPR and DPA 2018 enforcement seriously and is committed to ensuring organisations are aware of (and comply with) their obligations!

What is the data protection fee?

Under the old legislation (the Data Protection Act 1998) all data controllers had to be registered with the ICO and paid a fee for this registration based on the size and turnover of the organisation (£35 or £500), which was renewed on an annual basis.

Under GDPR and the DPA 2018, the requirement to register with the ICO has been removed and organisations no longer need to notify/register with the ICO but instead must pay a fee – the “data protection fee” depending on the size of the organisation.

This fee was established under the Data Protection (Charges and Information) Regulations 2018 and came into force, alongside the GDPR and DPA 2018, on 25 May 2018 (see our earlier blog on this here)

There are three tiers of fee charged by the ICO, depending on the size of the organisation:

Tier 1 (Micro organisations) – these are organisations with a turnover of less than £632,000 or that have no more than 10 staff = £40 fee (or £35 if you pay by direct debit).

Tier 2 (SMEs) – these are organisations with a turnover of less than £36 million or that have no more than 250 staff = £60 fee.

Tier 3 (Large organisations) – these are organisations with more than 250 staff or a turnover of more than £36 million = £2,900 fee.

Do I have to pay it?

In short – yes. If you process personal data, you need to pay the data protection fee[i].

If you have an existing registration under the old legislation which was renewed prior to 25 May 2018, you do not need to pay the new data protection fee until your registration expires.

What happens if I don’t pay?

If you don’t pay – you could be one of the organisations on the receiving end of an enforcement notice from the ICO. This first batch of 34 notices will serve as a reminder to many organisations to pay the data protection fee. The ICO has made clear that more notices are at the drafting stage and will be issued soon.

Failure to pay the data protection fee may result in a fine from the ICO – this will be calculated based on the size of your organisation but could be as much as £4,350!

All of the organisations who have been sent these enforcement notices have 21 days to respond – if they pay the ICO will stop the enforcement action.

Conclusion

This action by the ICO should serve as a reminder to organisations that the new data protection fee must be paid or you risk fines/other enforcement action by the ICO.

The new GDPR and DPA 2018 obligations for organisations can be confusing, however it is clear that if you are processing personal data – you should be paying the data protection fee to the ICO!

If you require any advice and/or assistance in relation to the GDPR or DPA 2018, please do not hesitate to get in contact with our dedicated data protection team who would be delighted to assist.

[i] There are a limited number of exemptions.

This article we co-written by Rebecca Henderson.

Technology, Media & Telecoms

With very few areas not impacted by technology, media and telecoms, we remain focused on ensuring we stay ahead of the curve in advising clients of the ever-increasing body of law, regulation and policy affecting the sector.

Latest updates from @MacRoberts