On 20 February 2018, The Data Protection (Charges and Information) Regulations 2018 (the Regulations) were laid before the UK parliament. The Regulations affect what businesses have to pay when registering their data protection arrangements with the Information Commissioner’s Office (ICO). On 21 February 2018, the ICO issued a guide for data controllers about the proposed data protection fees that the Regulations will levy.
The Regulations replace the previous system of notification under the Data Protection Act 1998. They will come into effect simultaneously with the General Data Protection Regulation on 25 May 2018.
Under the Regulations, data controllers who have a current registration or notification with the ICO will not need to pay the new fees until their existing registration expires. Registration does not automatically expire on 25 May 2018.
1. How the fees are calculated
The Regulations set out three tiers of organisations with accompanying fee levels for each tier. The tier an organisation falls into depends on: (i) how many staff members it has; (ii) its annual turnover; (iii) whether it is a public authority; (iv) whether it is a charity; and (v) whether it is a small occupational pension scheme.
These tiers are clarified below:
Tier 1 – Micro Organisations
- Maximum turnover of £632,000 for the financial year OR no more than 10 members of staff.
- Tier 1 fee = £40.
Tier 2 – Small and Medium Organisations
- Maximum turnover of £36 million for the financial year OR no more than 250 members of staff.
- Tier 2 fee = £60.
Tier 3 – Large Organisations
- Organisations that exceed the caps of the Tier 1 or Tier 2 criteria.
- Tier 3 fee = £2,900.
Importantly, all data controllers are to be regarded as Tier 3 unless they tell the ICO otherwise.
2. Application: the meaning of ‘turnover’ and ‘staff’
In the case of a group company, turnover is calculated separately for each individual company, rather than the overall amount for the group.
A member of staff means: (i) employees; (ii) workers; (iii) office holders; (iv) partners, and (v) part-time workers. The figure is calculated as the average number of individuals working over the financial year.
3. Exceptions, exemptions and the penalty
- Public authorities do not need to take their turnover into account. They are only categorised according to their staff numbers.
- Charities and small occupational pension schemes only have to pay the Tier 1 fee.
- There is no fee payable if personal data is only being processed for one or more of the following purposes: (i) staff administration; (ii) advertising, marketing and public relations; (iii) accounts and records; (iv) not-for-profit purposes; (v) personal, family or household affairs; (vi) maintaining a public register; (vii) judicial functions; or, (viii) processing personal information without an automated system such as a computer.
- It is important to note that being exempt from paying data protection fees does not mean a data controller is exempt from complying with its other data protection obligations.
- It is a criminal offence to not pay data protection fees. The maximum penalty for not paying (or not paying the correct fee) is a £4,350 fine (150% of the Tier 3 fee).
The ICO has cautioned that its guidance is based on a draft version of the Regulations, which have yet to be approved by the UK parliament. The guidance is simply meant to assist data controllers in getting prepared. The Regulations could yet change, so businesses should keep their eye on this space to ensure they comply with the new fees system.