Under the Data Protection Act 1998, all data controllers are required to register with the Information Commissioner’s Office (ICO) and provide important information including the data that is collected and the purposes for which it is collected. This registration incurs a fee which is dependant on size of the organisation and turnover.
However, the Data Protection Act 1998 is soon due to be replaced by the General Data Protection Regulation (GDPR) (May 2018) and in doing so, the obligation to ‘notify’ the ICO is being abolished. However the obligation to pay a fee to the ICO to fund the ICO’s work remains and there has been much speculation of late as to what the new fee structure will look like and how it will differ from the current one. These payments have now been approved and are set to come into force on 25th May 2018, coinciding with the introduction of GDPR. It is fair to say that some organisations’ payments to the ICO are set to increase significantly under the new regime with the top tier demanding a payment of £2,900 compared with £500 currently. So what does the new structure look like for data controllers?
Current Structure
Currently, most organisations who are data controllers will only be required to pay a fee of £35. However, some data controllers will have to pay a fee of £500. This will only be payable where:
- The data controller has a turnover of £25.9m or more and has more than 249 employees; or
- If the data controller is a public authority and has more than 249 employees.
There are some exceptions to this rule, whereby some data controllers will only pay £35 regardless of their turnover or numbers of employees. These are:
- Charities;
- Small occupational pension schemes; and
- Organisations that have been in existence for less than one month.
Where a data controller fails to pay the relevant fee under the current regime, it may be subject to criminal sanctions.
New structure
Although the new fee structure will come into place on 25th May 2018, data controllers which are currently registered under the old structure will not be required to pay the increased fee until they come to re-register as a data controller. So for example, if your current registration expires on 1st August 2018, you would not be expected to pay the ‘new’ fee until 1st August 2018 notwithstanding that the new rules change on 25th May 2018.
Do all data controllers need to pay this fee?
Some data controllers do not require to pay the fee. For example, the ICO has stated that a data controller will not be liable to pay a fee where it only processes personal data for one or more of the following reasons:
- Staff administration
- Advertising, marketing and public relations
- Accounts and records
- Not-for-profit purposes
- Personal, family or household affairs
- Maintaining a public register
- Judicial functions
- Processing personal information without an automated system e.g. a computer.
What will the new costs be?
The new structure will have three different tiers which have been determined by Parliament. Similar to the current structure, these tiers will be based on the turnover of the organisation and the number of employees. The different tiers are as follows:
- Tier 1 - £40 – for organisations who have a maximum turnover of £632,000 in a financial year or who have no more than 10 employees;
- Tier 2 - £60 – for organisations who have a maximum turnover of £36 million in a financial year or who have no more than 250 employees;
- Tier 3 - £2,900 – for all organisations who do not meet the criteria of the lower tiers.
For each of the above tiers a discount of £5 will apply where an organisation chooses to pay by direct debit. However, data controllers will initially be presumed to be subject to a tier 3 fee, unless and until they prove otherwise.
There will also be a number of exceptions in place under the new structure for specific types of organisations. These are:
- Public authorities – they only have to rely on the number of their employees in the determination of which tier will be applicable;
- Charities – regardless of turnover or number of employees, they will only ever be subject to tier 1 fees; and
- Small occupational pension schemes – regardless of turnover or number of employees, they will only ever be subject to tier 1 fees.
How do we calculate how many employees we have?
In order to correctly calculate the number of employees within an organisation, all members of staff should be included, including part-time employees and employees based overseas. The average number of employees throughout the organisation’s financial year should be used for the purposes of establishing which tier will be applicable for an organisation.
What will the penalty be if an organisation does not pay the new data protection fee?
Unlike under the current structure where an organisation can face criminal sanctions, under the new structure, where an organisation fails to pay the appropriate data protection fee, they may be subject to civil procedure monetary sanctions.
What impact will this change have?
For many organisations which process personal data, this will not have a huge impact on costs. Those that fall within tier 1 (and who pay by direct debit) will not notice any difference. For many that will fall within the new tier 2, there may even be a reduction in cost from £500 under the current regime to £55 (taking the direct debit reduction into consideration) under the new regime.
Tier 3 will have the biggest impact introducing a significantly higher fee than anything that any organisation has previously been used to and such organisations will require to build this into their budgets going forward.
If you would like any further information about the new fees or assistance in becoming GDPR ready, please contact Loretta Maxfield within our specialist Privacy and Data Management Team on 01382 229111.