The Information Commissioner’s Office, the body responsible for upholding information rights in the UK, is funded by charges paid by data controllers. There are a number of exemptions to these charges (if you fall within an exemption you do not have to pay), which date back to when digital processing of personal data was not undertaken on the scale it is today. The Department for Culture Media and Sport in the UK is consulting on whether the exemptions are still appropriate which signals that there may be a change in the law coming. This is the chance to give your views. If your organisation is currently relying on an exemption that gets removed, this could give rise to an additional cost.
The current charges range between £40-£2,900, depending on the size of the organisation. Charities and small occupational pension schemes pay the lowest fee.
The exemption likely to be of most interest to organisations is where personal data are processed only for ‘core business purposes’. These include (a) staff administration (including payroll); (b) advertising, marketing and public relations (in connection with the data controller’s own business activity); and (c) accounts and records (except in relation to processing personal data by or obtained from a credit reference agency).
This exemption means that organisations that use personal data only for the ‘core purposes’ need not pay the charge that would otherwise be due. The justification when this exemption was introduced was that the processing would be largely routine and expected by data subjects; but this may no longer be the case, especially in the context of digital marketing.