Newsflash: Update on ICO ‘data protection fee’

22nd February 2018

The government has announced changes to the way that the Information Commissioner’s Office (ICO) will be funded from 25 May 2018, when the EU General Data Protection Regulation (GDPR) – the new data protection regime – comes into force.

Under GDPR, there will no longer be a requirement to notify or register with the ICO on an annual basis as under the current rules, but there will be a legal requirement for data controllers to pay the ICO an annual ‘data protection fee’ unless they are exempt.

The ICO has produced a guide to the data protection fee to help data controllers navigate the new fee structure and work out what, if anything, they will be required to pay. It also intends to publish an online self-assessment tool before 25 May 2018.

The new fees range from £40 to £2,900 with an automatic £5 discount when paying by direct debit. There is a three tier structure based on number of staff, annual turnover, and whether the organisation is a public authority, charity or small occupational pension scheme:

• Tier 1 – micro organisations – £40 fee: Maximum turnover of £632,000 or no more than 10 members of staff. Charities and small occupational pension schemes (not otherwise subject to an exemption) will be liable for this fee, regardless of size or turnover.

• Tier 2 – small and medium organisations – £60 fee: Maximum turnover of £36 million or no more than 250 members of staff.

• Tier 3 – large organisations – £2,900 fee: Organisations not falling within tier 1 or tier 2.

It is important to note that the ICO will treat all controllers as eligible for tier 3 unless and until told otherwise.

Public authorities do not need to take turnover into account.

The ICO has the power to serve monetary penalties on those who refuse to pay their data protection fee.

Those processing personal data only for one or more of the following purposes will be exempt from paying the fee:

• staff administration
• advertising, marketing and public relations
• accounts and records
• not-for-profit purposes
• personal, family or household affairs
• maintaining a public register
• judicial functions
• processing personal information without an automated system such as a computer

Data controllers who have a current registration (or notification) under the existing rules will not have to pay the new fee until that registration has expired. Until 25 May 2018, organisations have a legal requirement to register and pay the current notification fee unless they are exempt under the existing rules.

The new funding model is still subject to parliamentary approval before it is finally confirmed and Walker Morris will continue to monitor and report on developments. In the meantime, if you have any queries arising from this briefing, or require any assistance in preparing for GDPR, please do not hesitate to contact Jeanette Burgess or Andrew Northage, who will be very happy to help.