DWF logo

Search

DWF logo

            Overview of the new ICO fee requirements for data controllers

            On 20 February 2018 new draft Regulations were put before Parliament which require data controllers to pay a fee to the ICO, unless an exemption applies. This article considers the proposed fee structure.

            Date: 28/02/2018

            It is often said that the GDPR is an evolution, not a revolution for data protection. Last week this adage rang true, when the Government put new draft Regulations before Parliament requiring data controllers to pay an annual charge to the Information Commissioner's Office (the "ICO"). Under the current Data Protection Act 1998 (the "DPA") organisations who are data controllers must register with the ICO unless an exemption applies. The ICO currently has approximately 50,000 organisations registered as data controllers. The current registration fee is either £35 or £500, depending on the size and turnover of the organisation.  

            When the GDPR becomes applicable on 25 May 2018 it abolishes the requirement for data controllers to register with their relevant supervisory authority (in the UK, the ICO). Recital 89 of the GDPR confirms that the intention of abolishing the registration requirement is to remove the administrative and financial burden on data controllers.  The GDPR also makes it clear that supervisory authorities must be provided with the necessary resources (including financial) to carry out their functions. In the UK, the Government has decided that data controllers will still be required to pay a fee to the ICO, unless an exemption applies.  This is good news for the ICO as it helps ensure the necessary funding to carry out its functions under the GDPR. 

            Data Protection Fee

            On 20 February 2018, the draft Data Protection (Charges and Information) Regulations 2018 (the "Regulations") were put before Parliament. They set out a three tier fee structure. It is important to remember that the legislation is going through the legislative process, so there is a possibility that it will change. 

            • Tier one – micro organisations. A data controller is in tier one if it has a maximum turnover of £632,000, has a maximum of 10 employees, is a charity or is a small occupational pension scheme. The tier one fee is £40.
            • Tier two – small and medium organisations. A data controller is in tier two if it is not in tier one and if it has either a maximum turnover of £36 million or a maximum of 250 employees. The tier two fee is £60.
            • Tier three – large organisations.  Data controllers not in tiers one or two. The tier three fee is £2,900. 
            • Public authorities do not need to consider turnover when determining their tier, only the number of employees.
            • There is a £5.00 reduction to the fee in all tiers if the payment is made by direct debit.  

             The Department for Digital, Culture, Media and Sport conducted a closed consultation on fees which proposed a similar three tier structure. However, the fees in the draft Regulations have increased substantially from the Government's initial fee proposal. 

            The fees appear to be based on turnover and size rather than the risk posed by the processing of personal data. There may be a correlation between size and risk but not necessarily; what about smaller organisations that process special categories of personal data?

            Penalties

            Under the current law it is a criminal offence if an organisation fails to register with the ICO. Under the new regime there will be financial penalties for those who do not pay a fee or have not paid the correct fee. Penalties can be up to £4,350. 

            Registration

            The draft Regulations put the responsibility on data controllers to determine if they must pay a fee, and if so, which tier is applicable to them. If an organisation is currently registered under the DPA the new fee isn’t payable until the current registration expires. According to ICO guidance published last week, if the registration has recently expired the ICO will assume the organisation falls into tier three unless they are notified otherwise. 

            When paying the relevant fee data controllers will also have to provide information including their contact details, number of employees, turnover and the contact details of the person handling the fee, another relevant representative and if applicable the data protection officer.

            The ICO intends to publish an online self-assessment tool to help organisations determine which fee applies to them. Given the exemptions available perhaps it will help determine whether any fee is payable. The Government has recently announced its intention of undertaking a public consultation on the exemptions to payment. This consultation is currently planned for summer 2018.

            As currently drafted the Regulations require data controllers to pay higher fees than are currently required under the DPA and still provide information to the ICO. As such, it is questionable whether the Government's new fee obligations alleviate the administrative and financial burdens on data controllers as envisioned in the GDPR.

            We use cookies to give you the best user experience on our website. Please let us know if you accept our use of cookies.

            Manage cookies

            Your Privacy

            When you visit any web site, it may store or retrieve information on your browser, mostly in the form of cookies. We mainly use this information to ensure the site works as you expect it to, and to learn how we can improve the experience in the future. The information does not usually directly identify you, but it can give you a more personalised web experience.
            Because we respect your right to privacy, you can choose not to allow some types of cookies. Click on the different category headings to find out more and change permissions. However, blocking some types of cookies may prevent certain site functionality from working as expected

            Functional cookies

            (Required)

            These cookies let you use the website and are required for the website to function as expected.

            These cookies are required

            Tracking cookies

            Anonymous cookies that help us understand the performance of our website and how we can improve the website experience for our users. Some of these may be set by third parties we trust, such as Google Analytics.

            They may also be used to personalise your experience on our website by remembering your preferences and settings.

            Marketing cookies

            These cookies are used to improve and personalise your experience with our brands. We may use these cookies to show adverts for our products, or measure the performance of our adverts.