The UK has published draft draft Regulations which set out the fees data controllers will be required to pay to the UK ICO, together with draft guidance from the ICO.

While the GDPR does away with an annual notification fee, it also increases the tasks which need to be carried out by Supervisory Authorities, all the while doing away with the income they receive from notification fees. Recognising the need for increased revenue, the UK government has decided this will be partially funded by a new annual data protection fee which will replace the current notification fee.

While some information will need to be submitted with the annual fee, the current notification regime which requires details about the data processing, will no longer exist under the GDPR.

The Regulations are intended to come into force on 25 May 2018, but organisations will only be required to pay the new fee when their current registration expires.

It is not entirely clear whether data controllers not based in the UK but processing UK personal data will have to register.

How much is the new registration fee?

There are three tiers of fees: £40, £60 and £2,900. The fee payable will depend on how many members of staff an organisation has, its annual turnover, and whether or not it is a public authority, a charity or a small occupational pension scheme. Some data controllers will be exempt from registration fees.

  • Tier 1, micro organisations - £40: maximum turnover of £632,000 for the financial year OR no more than ten members of staff;
  • Tier 2, small and medium organisations - £60: maximum turnover of £36m for the financial year OR no more than 250 members of staff; and
  • Tier 3, large organisations - £2900: all other eligible organisations.

Note that the ICO will regard all controllers registering for the first time (and not currently notified under the Data Protection Act 1998) as eligible to pay a Tier 3 fee unless and until it is told otherwise.

How to calculate number of staff

Who is a member of staff is broadly defined. It includes all employees (including part time), workers, office holders and partners, whether based in the UK, overseas or both. This total is calculated as an average number across the financial year.

How to calculate turnover

  • in relation to a company – s474 Companies Act 2006;
  • in relation to an LLP – s474 Companies Act 2006 as applied by regulation 32 of the LLP (Accounts and Audit) (Application of Companies Act 2006) Regulations 2008; and
  • in relation to all other cases, the amounts derived by the data controller from the provision of goods and services falling within the data controller's ordinary activities, after deduction of trade discounts, VAT and any other taxes based on those amounts.

What is a financial year?

If the data controller has been in existence for less than twelve months, the period of its existence. In any other case, the most recent financial year of the data controller that ended prior to the first day of the charge period in respect of which information is being provided or a charge is being paid. For Companies and LLPs, this is determined in accordance with the Companies Act and Companies Act as applied to LLPs respectively. For other organisations, it is the period covering twelve consecutive months over which a data controller determines income and expenditure.

Exceptions to the Tiers

  • Public authorities should only categorise themselves using the staff number calculations (and not turnover).
  • Charities and small occupational pension schemes which are not otherwise subject to an exemption will only be liable for Tier 1, regardless of size or turnover.

Exemptions

Organisations processing personal data only for one or more of the following purposes will not have to pay a registration fee:

  • staff administration;
  • advertising, marketing and public relations;
  • accounts and records;
  • not-for-profit purposes;
  • personal, family or household affairs;
  • maintaining a public register;
  • judicial functions; or
  • processing personal information without an automated system such as a computer.

Registration

The ICO will publish a self-assessment tool before the Regulations come into effect. If an organisation is already registered under the 1998 Data Protection Act, the ICO will decide what Tier is applicable and organisations have the right to object. An organisation paying a fee for the first time will need to inform the ICO of its name, contact details, and which level of fee it thinks it will need to pay. A telephone line has been set up to take this information which can also be submitted online.

The ICO will collect the following information from all registrants:

  • name and address of controller and other trading names;
  • number of staff;
  • turnover for financial year; and
  • contact details for: person completing the registration process; person responsible for regulatory issues and renewal of registration fee if different; and the DPO (if there is one).

Information which the ICO will publish will be limited to:

  • name and address of controller (but not individual contacts);
  • data protection registration number allocated by the ICO;
  • level of fee paid;
  • date of fee payment and renewal date; and
  • contact details for DPO if there is one and their name subject to opt-in.

Sanctions for non-compliance

Failure to pay a fee or to pay the correct fee, is subject to a maximum penalty of £4,350 (150% of the Tier 3 payment).