The UK Government has announced a new three-tier charging structure for data controllers to ensure the continued funding of the Information Commissioner’s Office (ICO) to come into effect on 25 May 2018 to coincide with the GDPR coming into force.

Currently, organisations that are controllers of personal data are legally required to register details of their processing activities with the ICO and pay a notification fee of £35 or £500, unless they are exempt.

This two-tier structure will be replaced by a three-tier annual fee structure based on the relative risk to the data that an organisation processes. This will be measured according to a number of factors, including size, turnover, and whether an organisation is a public authority or charity.

The three-tier fee structure is as follows:

Tier 1
Micro organisations.
Maximum turnover of £632,000 or no more than ten members of staff.

Fee: £40 (or £35 if paid by direct debit)

Tier 2
Small or medium organisations.
Maximum turnover of £36 million or no more than 250 members of staff.

Fee: £60

Tier 3
Large organisations.
Those not meeting the criteria of Tiers 1 or 2.

Fee: £2,900

This new fee structure will come into effect on 25 May 2018, so until then, organisations are legally required to pay the current notification fee under the two-tier structure, unless they are exempt. There will continue to be financial penalties for not paying fees, but these will be in the form of civil monetary penalties rather than a criminal sanction.

Exemptions

Generally, organisations that are controllers of personal data are required to pay the notification fee. However, there are exemptions for organisations that process personal data only for one (or more) of the following purposes:

  • Staff administration
  • Advertising, marketing and public relations
  • Accounts and records
  • Not-for-profit purposes
  • Personal, family, or household affairs
  • Maintaining a public register
  • Judicial functions
  • Processing personal information without an automated system as a computer.

It is important to note that even if there is an exemption to paying a fee, there is still a need to comply with other data protection obligations.

In the meantime, the ICO has stated, “if you renewed or registered before 25 May 2018 under the 1998 Act, that registration will be valid for 12 months,” so data controllers do not need to pay another fee until their current notification has expired.