A new data protection registration fee of up to £2,300 per year will apply in the UK from 25 May 2018.
What’s the issue?
While the incoming General Data Protection Regulation (GDPR) does away with an annual notification requirement, it also increases the tasks which need to be carried out by Supervisory Authorities, all the while, doing away with the income they receive from notification fees. Recognising the need for increased revenue, the UK government has decided this will be partially funded by a new annual data protection fee which will replace the current notification fee.
What’s the development?
What does this mean for you?
Data controllers will be required to pay the new fee of £40, £60 or £2,300 (depending on turnover and number of staff) on expiry of their current annual notification, or when registering for the first time any time after 25 May 2018. Exemptions similar to those under the current notification regime may apply.
While some information will need to be submitted with the annual fee, the current notification regime which requires details about the data processing, will no longer exist under the GDPR.
It is not entirely clear whether data controllers not based in the UK but processing UK personal data will have to register and there are ambiguities around the registration requirement in relation to cross-border controllers which will hopefully be addressed in the final version of the Regulations.
How much is the new registration fee?
There are three tiers of fees: £40, £60 and £2,900. The fee payable will depend on how many members of staff an organisation has, its annual turnover, and whether or not it is a public authority, a charity or a small occupational pension scheme. Some data controllers will be exempt from registration fees.
- Tier 1, micro organisations - £40: maximum turnover of £632,000 for the financial year OR no more than ten members of staff;
- Tier 2, small and medium organisations - £60: maximum turnover of £36m for the financial year OR no more than 250 members of staff; and
- Tier 3, large organisations - £2900: all other eligible organisations.
Note that the ICO will regard all controllers registering for the first time (and not currently notified under the Data Protection Act 1998) as eligible to pay a Tier 3 fee unless and until it is told otherwise.
How to calculate number of staff
Who is a member of staff is broadly defined. It includes all employees (including part time), workers, office holders and partners, whether based in the UK, overseas or both. This total is calculated as an average number across the financial year.
How to calculate turnover
- in relation to a company – s474 Companies Act 2006;
- in relation to an LLP – s474 Companies Act 2006 as applied by regulation 32 of the LLP (Accounts and Audit) (Application of Companies Act 2006) Regulations 2008; and
- in relation to all other cases, the amounts derived by the data controller from the provision of goods and services falling within the data controller’s ordinary activities, after deduction of trade discounts, VAT and any other taxes based on those amounts.
What is a financial year?
If the data controller has been in existence for less than twelve months, the period of its existence. In any other case, the most recent financial year of the data controller that ended prior to the first day of the charge period in respect of which information is being provided or a charge is being paid. For Companies and LLPs, this is determined in accordance with the Companies Act and Companies Act as applied to LLPs respectively. For other organisations, it is the period covering twelve consecutive months over which a data controller determines income and expenditure.
Exceptions to the Tiers
- Public authorities should only categorise themselves using the staff number calculations (and not turnover); and
- Charities and small occupational pension schemes which are not otherwise subject to an exemption will only be liable for Tier 1, regardless of size or turnover.
Organisations processing personal data only for one or more of the following purposes will not have to pay a registration fee:
- staff administration;
- advertising, marketing and public relations;
- accounts and records;
- not-for-profit purposes;
- personal, family or household affairs;
- maintaining a public register;
- judicial functions; or
- processing personal information without an automated system such as a computer.
The ICO will publish a self-assessment tool before the Regulations come into effect. If an organisation is already registered under the 1998 Data Protection Act, the ICO will decide what Tier is applicable and organisations have the right to object. An organisation paying a fee for the first time will need to inform the ICO of its name, contact details, and which level of fee it thinks it will need to pay. A telephone line has been set up to take this information which can also be submitted online.
The ICO will collect the following information from all registrants:
- name and address of controller and other trading names;
- number of staff;
- turnover for financial year; and
- contact details for: person completing the registration process; person responsible for regulatory issues and renewal of registration fee if different; and the DPO (if there is one).
Information which the ICO will publish will be limited to:
- name and address of controller (but not individual contacts);
- data protection registration number allocated by the ICO;
- level of fee paid;
- date of fee payment and renewal date; and
- contact details for DPO if there is one and their name subject to opt-in.
Sanctions for non-compliance
Failure to pay a fee or to pay the correct fee, is subject to a maximum penalty of £4,350 (150% of the Tier 3 payment).