The ICO has recently announced that it is actively taking enforcement action against organisations for failing to pay the new data protection fee. This article intends to provide a quick recap of the fee to help ensure your organisation does not get caught out!
So what is this fee?
This new fee, introduced by Data Protection (Charges and Information) Regulations 2018, replaces the obligation on controllers (i.e. organisations who determine the purpose for which personal data is processed) under the Data Protection Act 1998 to notify the ICO that it is a controller.
Under the 1998 Act, controllers were also required to pay an annual administration fee ranging from £35 to £500 depending on size of the organisation as part of the notification process.
Although the requirement to notify the ICO has fallen away, the 2018 Regulations now require controllers to pay a new annual data protection fee ranging from £40 to £2,900 unless they are exempt. Who needs to pay this fee?
This new fee is payable by all controllers unless the controller only processes personal data for one or more of the following reasons in which case it may be exempt from payment of the fee:
- staff administration;
- advertising, marketing and public relations;
- accounts and records;
- not-for-profit purposes;
- personal, family or household affairs;
- maintaining a public register;
- judicial functions; or
- processing personal information without an automated system such as a computer.
If you are not sure whether or not your organisation falls within an exemption, please refer to the self assessment available on the ICO website at https://ico.org.uk/for-organisations/data-protection-fee/self-assessment/
How much do you need to pay? The fee amount will depend on: a) how many members of staff a controller has; b) the controller’s annual turnover; and c) whether the controller is a public authority, charity or a small occupational pension scheme.
Tier 1 “micro organisations” (i.e. organisations with a maximum annual turnover of £632,000 OR no more than 10 members of staff) are required to pay an annual fee of £40.
Tier 2 “small and medium organisations” (i.e. organisations with a maximum annual turnover of £36 million OR no more than 250 members of staff) are required to pay an annual fee of £60.
Tier 3 “large organisations” (i.e. organisations that do not fall within tier 1 or tier 2) are required to pay an annual fee of £2,900.
The ICO guidance states that it regards all controllers as eligible to pay a fee in Tier 3 unless and until they are told otherwise.
Note if the organisation is a public authority it only needs to take into account staff numbers and not turnover. Further if the organisation is a charity or a small occupational pension scheme, it will only be required to pay a Tier 1 fee irrespective of its size and turnover.
To work out how much your organisation needs to pay please refer to the self assessment available on the ICO website https://ico.org.uk/for-organisations/how-much-will-i-need-to-pay/
When do you need to pay it?
All eligible controllers will have been required to pay the fee from 25 May 2018 although those controllers who have a current registration (or notification) under the 1998 Act do not have to pay the new fee until that registration has expired.
What if you don’t pay?
Failure to pay the fee will likely result in the ICO enforcement action and a fine of up to £4,350 (150% of the top tier fee).