Under the GDPR the requirement that data controllers register with the ICO each year will be dropped and replaced with a requirement that data controllers maintain their own internal data processing record instead. However, in order to provide continued funding for the ICO’s activities, all data controllers will have to continue paying an annual fee.
The new charging structure is set out in the Data Protection (Charges and Information) Regulations and will come into effect on 25 May 2018 at the same time as the General Data Protection Regulation.
The new fees
The new scheme sees a three tier charging system:
Tier 1: micro organisations - £40 (or £35 if paid by direct debit)
- Organisations with a turnover of up to £632,000 or no more than ten members of staff, small occupational pension schemes, and charities.
Tier 2: small and medium organisations - £60
- Organisations with a turnover of up to £36m or no more than 250 members of staff.
Tier 3: large organisations - £2,900
- All other organisations.
Special rules for public authorities, charities and small occupational pension schemes
The fee payable by public authorities is based on staff numbers only - they do not need to take turnover into account.
Those charities and small occupational pension schemes which are not exempt from paying a fee, will only have to pay the Tier 1 fee regardless of their turnover or how many staff they have.
Any organisation which is processing personal data only for one or more of the following activities will be fully exempt from the requirement to pay a fee:
- staff administration
- advertising, marketing and public relations
- accounts and records
- not-for-profit purposes
- personal, family or household affairs
- maintaining a public register
- judicial functions
- processing personal information without a computer or other similar device.
This exemption is only in relation to payment of the fee – you will still need to ensure that you are complying with the other obligations set out in GDPR.
How/when to start paying the new fee
Existing ICO registrations will remain valid for their full 12 month term so there is no need to take any specific action whilst you are still covered under a current registration.
As registrations fall due for renewal, the ICO will contact data controllers giving notice of the new arrangements and fees. The ICO will make a preliminary decision as to which tier an organisation falls within based on the information it holds in relation to the existing registration. If you disagree with the ICOs allocation, you can contact them and explain why you should be in a different tier.
It is worth noting that the ICO will automatically assign organisations to Tier 3 unless information is available to demonstrate that Tier 1 or 2 should apply.
First time registration
If you are a non-exempt data controller who has not previously registered with the ICO and paid a fee, you will need to do so. The quickest and easiest way to register is via the ICO website. Registration, prior to 25 May 2018, will be subject to the current fee structure and the requirement to provide detailed information regarding your processing activities.
It is a criminal offence for a non-exempt data controller to fail to pay the annual fee or pay an incorrect fee. From 25 May 2018, the ICO will be able to impose fines for non-payment of up to £4,350.