With the deadline for enforcement of the GDPR looming closer, many data controllers had believed that, with the abolition of the requirement to notify the Information Commissioner’s Office (ICO) of their data processing activities, there would no longer be a need to pay notification fees. However, the ICO has recently published a blog piece clarifying how the registration fees that data controllers have to pay to the ICO will change when the General Data Protection Regulation (GDPR) takes effect in May 2018.
The current situation
Currently, under the Data Protection Act 1998 (DPA), organisations that process personal information are required to register with the ICO as data controllers, unless an exemption applies. Data controllers also have to pay a fee, based on their size, of either £35 or £500. The ICO explains that these fees are used to fund most of the ICO’s work.
What is changing?
The ICO explains that when the new data protection legislation comes into effect next year, there will no longer be a requirement to notify the ICO in the same way. However, under the Digital Economy Act 2017 (DEA), it will remain a legal requirement for data controllers to pay the ICO a data protection fee. As is the situation currently, these fees will be used to fund the ICO’s data protection work, and any money the ICO receives in fines will be passed directly back to the Government.
The new fee model
The amount of the data protection fee is still being developed by the ICO’s sponsoring department, the Department for Digital, Culture, Media and Sport (DCMS), in consultation with the ICO, and representatives of those likely to be affected by the change. The final fees will be approved by Parliament. The ICO says that the new system will “aim to make sure the fees are fair and reflect the relative risk of the organisation’s processing of personal data”.
The current draft proposal for the new data protection fees is a three-tier system, which will still be based on the organisation’s size and turnover, differentiating between small and large organisations and also taking into account how much personal data an organisation is processing. The ICO says that the aim is to keep the system as simple as possible, so that organisations will easily be able to categorise themselves. It expects to know more by the end of the year and says that it will communicate to data controllers once it does.
The fee ranges used by the DCMS in its recent consultation about future ICO fees have recently been published and included (i) an annual fee of up to £55 for small and medium firms that do not process large volumes of data (Tier 1); (ii) an annual fee of up to £80 for small and medium firms that do process large volumes of data (Tier 2); (iii) an annual fee of up to £1000 for large businesses (Tier 3); and a direct marketing top-up fee of £20 for organisations that carry out electronic marketing activities as part of their business. A third party carried out the consultation on DCMS’s behalf, and DCMS is now considering the responses to the consultation prior to developing fee regulations to support the proposed new funding arrangements.
The new fee model will still include exemptions, but what they will be has yet to be confirmed by the DCMS. The ICO says it expects them to be similar to those under the current regime. The new model will go live on 1 April 2018.
What happens between now and then?
The ICO says that organisations should continue to renew their notifications as usual and reminds controllers that it is still a criminal offence not to notify if an organisation needs to. Until the new fees come in, “[I]t is very much business as usual – so no excuses for not notifying!”, the ICO says. It is not yet clear what penalties will apply for non-payment of data protection fees under the new system, but further detail may be provided in the proposed new regulations governing data protection fees.
The ICO expects that, under the new data protection fee regime, payments made during the 2017/18 financial year under the current system will run for a full year. This would mean that organisations that pay their annual notification fee at any point during this time will not need to pay the new fee until their notification under the old model would otherwise expire.
For those who are already registered with the ICO, the regulator will be informing them in the reminder paperwork it sends out at renewal time. Next year, the ICO says that it will make clear to those due to renew from April that they will be under the new regime and it will include “everything they need to know to make the process go smoothly.”
Although there is no notification requirement under the GDPR, it looks as though data protection fees in the UK are here to stay. As an alternative to the old notification requirement, the new rules contain obligations on data controllers and processors to maintain certain records of their data processing activities that must be made available to the ICO on request. Exactly what data processing activities records must be kept depends on the size of the organisation. It looks as though, although the ICO will no longer have the administrative burden of running the current notification system, it will not be losing out on collecting fees from data controllers.