Parliament publishes new data protection payment provisions
On 20 February 2018, the UK Parliament published draft Regulations setting out a requirement for controllers (those who determine the purposes for which data is collected) to pay a charge, and provide information, to the Information Commissioner’s Office (ICO) as of 25 May 2018.
Following our previous blog (GDPR puts an end to data controller registration but fees are to remain!), the new Regulations set out the different charge levels which controllers will be required to pay to the ICO upon the implementation of the General Data Protection Regulation (GDPR).
The current regime
Subject to a few exemptions, the Data Protection Act currently requires all data controllers to register with the ICO and pay an annual notification fee in order for such registration to remain in place. There are currently two tiers of notification fees payable: £35 or £500, depending on (i) the number of employees; and (ii) the turnover of the organisation.
The new regime
Under the GDPR, controllers are no longer required to register with national data protection supervisory authorities (such as the ICO). However, the GDPR does place an obligation on Member States to ensure that their supervisory authorities are afforded sufficient financial resources in order for them to adequately perform their tasks. The new Regulations will, therefore, replace the current notification fees with new charges on controllers.
What does this mean in practice for your organisation?
The new Regulations set out specific information which controllers are required to provide to the ICO in order to determine the charge payable. As per the current regime, an organisation’s turnover and the number of employees are taken into account (except for public authorities where the charge payable is dependent only on the number of employees). Each controller is required to pay the relevant charge in respect of each 12 month “charge period”. However, the date on which that “charge period” begins will differ depending on whether the controller is an existing controller before, or only becomes a controller when, the Regulations come in to force.
The new regime consists of three tiers of charges (with a £5 discount applied to each tier for controllers paying by direct debit):
- Tier 1 (Micro Organisations, Charities and Small Occupational Pensions Schemes): £40
- Tier 2 (Small and Medium Organisations): £60
- Tier 3 (Large Organisations): £2,900
In an attempt to reduce the burden on small organisations, those who qualify as micro organisations and who pay by direct debit will, therefore, be subject to the same charge (£35) as under the current regime. However, the explanatory note to the new Regulations notes that most controllers formerly paying the £500 notification fee will likely become subject to the Tier 3 (£2,900) charge – an increase which is said to:
- “reflect the increased level of information risk inherent in this category of data controllers”; and
- “acknowledge that large organisations are likely to process more personal data and therefore will generally draw more heavily on the ICO’s resources”.
There are a number of exemptions from the requirement to pay a charge under the new regime and these are inherently similar to those under the current regime.
The explanatory note to the new Regulation sets out the three main policy objectives of the new regime:
- Safeguards the ICO’s statutory independence by ensure an adequate and stable level of funding, with no recourse to public funds;
- Raises awareness of, and therefore compliance with, data protection obligations by data controllers;
- Builds regulatory risk into the charge level.
As a result of the GDPR, the ICO’s supervisory responsibilities and remit will expand (e.g. in relation to mandatory breach notifications and data protection impact assessments) and the new Regulations aim to ensure that the ICO has the necessary financial resources. It is anticipated that by meeting the three objectives outlined above, this in turn will increase public confidence that personal data is being handled appropriately.
The outcome of the new regime was based on a closed consultation, however, a public consultation with regard to the exemptions is intended later this year. It is expected that the ICO will issue further guidance on the new charge structure on its website and in its e-newsletter in due course. In the meantime, however, controllers should ensure they consider their position (and how much they will be required to pay to the ICO) under the new regime.
This article was co-written by Rhea McKenzie (email@example.com).