GDPR update: No longer a requirement to notify with the ICO…but a fee hike above the rate of inflation

As of 25 May 2018, the fees that data controllers pay to the ICO are changing.

A data controller is the legal person or body which determines the purposes and means of the processing of personal data.

Essentially this means that they are the person responsible for making decisions about why personal data is processed and how it is done in an organisation.

The ICO published its guidance on the data protection fee on 21 February 2018.

How much will I be required to pay under the new regime?

There will now be three tiers of fee which will be determined principally on your number of employees and annual turnover.

Turnover Numbers of Staff Fee
Tier 1 – Micro Organisation £632,000 10 £40
Tier 2 – Small and Medium Organisations £36 million 250 £60
Tier 3 – Large Organisations Above Tier 2 Above Tier 2 £2,900

Importantly, the ICO will regard all data controllers as Tier 3 unless you notify them and provide evidence that you fall within a different category – so if you do not fall within that tier then remember to inform the ICO immediately.

It will be large organisations that will feel the biggest impact of these changes; with a rise from £500 to £2,900 annually.

It has been acknowledged that this is an above-inflation increase however the government have argued that this higher fee is necessary to “reflect the increased level of information risk inherent in this category of data controllers”.

One thing to be mindful of is that the new fee does not need to be paid on 1 April 2018, rather it only needs to be paid when your existing notification fee expires. You will be contacted by the ICO before the expiry who will give further details of how to pay the fee.

Do I fall within an exception or exemption?

If you are a public authority, charity or small occupational pension scheme then a reduced fee is payable.

Further you do not need to pay a fee if you are processing personal data solely for staff administration, advertising or not for profit purposes.

What happens if I do not pay the fee?

If you do not pay the fee or fail to pay the correct fee the maximum penalty is a £4,350 fine. However, one positive is that with the new changes there will no longer be any criminal sanctions for failure to pay.

If you would like some further guidance or information on whether you fall within an exception or exemption feel free to get in touch with me at Daniel.Crayford@Forbessolicitors.co.uk or on 01254 222451. We offer a range of fixed fee GDPR support services and would be happy to discuss how we can assist you with your preparations for May 2018.

Dan Crayford

About Dan Crayford

Dan joined Forbes in 2014, gaining experience in complex insurance litigation which involved advising clients in the construction and public sectors. In early 2017, Dan joined the Commercial team and moved to specialise in advising clients in the public, quasi-public and third sectors, predominantly in the fields of construction, procurement, social housing regulation, and education governance. Dan has a particular interest in contracts and procurement law, with a focus on advising registered providers of social housing, educational institutions, and other public and charitable organisations. Dan has worked with a range of clients in these sectors including registered providers of social housing of all sizes, maintained schools to MATs, other charities and community entities including CIOs, and CICs. Dan also regularly advises organisations from all sectors on data protection and freedom of information matters, including GDPR, PECR, and Environmental Information Regulations.
This entry was posted in GDPR and tagged , , .