CHANGES TO ICO FEES AND REGISTRATION
Under the General Data Protection Regulation (GDPR) Data Controllers will no longer be required to register with the Information Commissioners Office (ICO) in the same way. However, they will be required to pay a new data protection fee, in accordance with the Digital Economy Act.
Under the Data Protection Act 1998 Data Controllers were required to notify the ICO of their processing activities relating to personal data by confirming:
- the nature of their work;
- a description of the processing;
- the reason for processing such information;
- the type of personal information processed;
- details of who the data is shared with; and
- any instances where data is transferred.
Such a notification was accompanied by an annual fee – unless an exemption applied – ranging from £35 to £500, dependent upon the size, type and revenue of the business. Ultimately, this fee helped fund the work of the Information Commissioner.
Changes under the GDPR
Instead of notification and registration, the GDPR requires Data Controllers to be accountable by maintaining records and conducting assessments of processing activities. Data Controllers are also required to implement technical and organisational measures to protect the security of the personal data and, where such activities are deemed to represent a ‘high risk’ to the rights and freedoms of individuals, consult with the relevant data protection authority.
Given the GDPR has halted the registration requirement and associated fees, this has led some to question how the ICO will now be funded: by the government, or perhaps by generating revenue through fines against businesses found to be in violation of the GDPR?
Alternative revenue stream
The introduction of the Digital Economy Act 2017 may go some way to bridge the apparent funding gap, by ‘allowing’ the Information Commissioner to charge data protection fees to businesses.
Word from the ICO
The ICO have acknowledged the obligation to notify them will change post May 2018; however, given the provision to charge a fee contained in the Digital Economy Act, there will still be an obligation for businesses to pay money to them, which will be applied on an annual basis.
Although not yet finalised, it would appeara new fee system will apply to businesses as of the 1st April 2018. This fee system is likely be three-tiered:
- Tier 1: annual fee of up to £55 applied to small and medium firms that do not process large volumes of data;
- Tier 2: annual fee of up to £80 applied to small and medium firms that process large volumes of data;
- Tier 3: annual fee of up to £1000 for large businesses;
- And a direct marketing top-up fee of £20 Organisations that carry out electronic marketing activities as part of their business.
What happens in the meantime?
Organisations who are required (by current law) to either register or renew their registration prior to April 2018 should continue to do so and will be charged the related annual fee. However, the ICO has stated:
‘new data protection fee regime payments made during the 2017/18 financial year under the current system will run for a full year. This would mean that organisations which pay their annual notification fee at any point during this time will not need to pay the new fee until their notification under the old model would otherwise expire.’
This will effectively ensure organisations are not required to pay both the registration fee and the new data protection fee within the same 12 month period.