ICO Registration and Fees
Currently, many organisations pay a fee to the Information Commissioner’s Office (ICO) as a Data Controller. These registrations (or notifications) would have been removed by the application of the GDPR into UK law. However, a new registration and fee scheme for Data Controllers will come in from 25 May 2018, the same day the General Data Protection Regulation is introduced across the EU.
There was mention of a move by the ICO to levy new fees for Data Controllers last year on its blog and Twitter. These have now found their way into draft regulations presented to Parliament. Originally it was thought that fines would support the funding of the ICO, but to ensure the continued funding of the ICO, the Government has announced a new charging structure for Data Controllers. Until then, organisations are legally required to pay the current notification fee, unless they are exempt.
To help Data Controllers understand why there is a new funding model and what they will be required to pay, the ICO has produced a Guide to the Data Protection Fee which can be found at www.ico.org.uk . It should be noted that this is a draft at the moment, as the model has to be approved by Parliament before it is confirmed.
Key Changes and Information
If you have a current registration, you do not need to renew it on 25 May 2018, just when it runs out.
There are exemptions from the need to register – these are set out in the draft guidance, but may change in Parliament. There are some activities which trigger the need to register as well, though these have been widened from the current regime.
Charities and small occupational pension schemes just pay the Tier 1 fee.
Fee levels – these are between £40 and £2,900 based on number of staff and (for non-public bodies) turnover as well.
There is a default position of Tier 3, unless and until you can demonstrate to the ICO that you are a Tier 1 or 2 organisation.
Below is the revised Tier structure:
- Tier 1 – micro organisations – cap of £632K turnover or 10 members of staff – £40
- Tier 2 – small and medium organisations – cap of £36M turnover or 250 members of staff – £60
- Tier 3 – if you exceed the caps in Tier 2, then the fee is £2,900.
For very small (micro) organisations, the fee will not be any higher than the £35 they currently pay, if they take advantage of a £5 reduction for paying by direct debit. The ICO explains that the fee is higher because these organisations are likely to hold and process the largest volumes of data, and therefore represent a greater risk.
There is a monetary penalty (fine) for not registering of £4,350 regardless of organisational size.
Key FAQs on the website include:
Do I have to pay a fee? If you are a Controller and the exemptions don’t apply to you, you will have to pay the fee.
If my registration expires on or after 25 May 2018, can I renew early and pay my current fee? No. You must pay the correct fee under the new fee structure.
When will I have to pay the new fee? The new regulations come into effect on 25 May 2018, when organisations must apply the GDPR. But this doesn’t mean that everyone has to pay us a fee on that day. Controllers with a current registration (or notification) under the 1998 Act will not have to pay any other fee until their notification has expired (12 months from the day they made it). Controllers that are not currently notified will be liable for the new fee on 25 May 2018, unless an exemption applies.
If I renew under the old arrangements, will I have to pay again on 25 May 2018? No. If you renewed or registered before 25 May 2018 under the 1998 Act, that registration will be valid for 12 months. You will not need to pay the new fee until your current registration expires.
What is the difference between notifying under the Data Protection Act 1998 and paying the data protection fee? Aside from the level of the fee, the main difference is that under the 1998 Act, Controllers had to give details of the types of processing they did. You will not need to provide this information from 25 May 2018.
How will I know my renewal is due? The ICO will email you before your previous payment expires and your new payment is due.
What happens if I don’t pay my fee? The ICO will send you a reminder explaining when you need to pay. If you don’t pay, or tell them why you are no longer required to pay a fee, they will issue a notice of intent 14 days after expiry. You will have 21 days to pay or make representations. If you do not pay, or fail to notify them that you no longer need to pay, you may be issued with a fine of up to £4,350 (150% of the top tier fee.)
Data Protection and SMEs
Many small firms are still not sure what GDPR means, but they need to start paying attention, as the new UK legislation in the form of the Data Protection Act 2018 will soon apply. The Federation of Small Businesses (FSB) has found that that a third of small businesses have not started preparing for the introduction of the GDPR, while a further third are only in the early stages of preparations. Only 8% of small businesses have completed their preparations.
FSB National Chairman Mike Cherry explains: “The GDPR is the biggest shake-up in data protection to date, and many small businesses will be concerned that the changes will be too much to handle. It is clear that a large part of the small business community is still unaware of the steps that they need to take to comply and may be left playing catch-up.”
On average small firms will spend seven hours per month meeting their data protection obligations, which equates to £1,075 per year, according to the FSB. Recognising that some small businesses will not be compliant ahead of the May deadline, the FSB has appealed to the regulator, the ICO, to take a proportionate approach to enforcement and not immediately to resort to fines.
What actions need to happen before 25 May 2018
We have been reviewing our own Data Protection Policies, and we have now issued to all our clients a Data Sharing Agreement, along with mailing out our policies on how we will ensure that we protect and handle client data.
We are also updating all our client’s Handbooks with an Employment Data Protection Policy, which will cover your employees’ responsibilities and rights. It is not meant, and indeed does not cover, what data you hold about your customers or others, and what practices you have in place to keep it secure. So you need to be taking steps to prepare for this.
It is likely that the ICO will not be able to, or inclined to, start enforcement action against SMEs unless they are blatantly doing something terrible, but that is not an excuse for procrastination. We are already seeing signs that large organisations will be expecting their suppliers to have in place relevant Data Protection policies, or answer rigorous questionnaires, so it is best to be ready for this, and be able to show what you do to keep their data secure. Data holders (Controllers or Processors) will have to ensure that they have safeguards in place to prevent the accidental loss, destruction or damage of data or unauthorised access. They should also review how they seek, record and manage consent to personal data being held by their organisation.
Please feel free to ask any questions of our Consultants who would be pleased to advise on any element of this newsletter.