Under the Data Protection Act 1998, all data controllers have to register with the Information Commissioner's Office (ICO). Since 2000 there has been a flat fee of £35 per year for initial registration and subsequent renewals. However, this has all changed.
The new two-tier structure
From 1 October 2009, there is a new two-tier structure for notification fees. The changes are included in the Data Protection (Notification and Notification Fees) (Amendment) Order 2009 (Order) which was laid before Parliament on 6 July 2009.
- A "tier 1" data controller is any controller not covered by tier 2. The notification fee for "tier 1" controllers remains £35 per year.
- A "tier 2" data controller is any controller which:
- is not a charity or a small occupational pension scheme;
- has been in existence for more than a month; and
- has a turnover of £25.9 million or more for its financial year and 250 or more members of staff or, in the case of a public authority, 250 or more members of staff.
The annual notification fee for "tier 2" controllers is now £500.
The Order provides more detail about how these tests will be applied and in particular how the accounting of turnover in a financial year will be assessed.
What this will mean for data controllers
There are two major consequences arising from the change for data controllers:
- controllers will now have to consider carefully which "tier" they fall into when applying for notification; and
- many companies will have to pay substantially more for their data protection notification compliance in the future. This is particularly relevant for large corporate groups.
Although the fee increase will not concern some larger companies, the significant increase may put pressure on some smaller companies which fall just above the threshold for "tier 2".