GDPR update: No longer a requirement to notify with the ICO…but a fee hike above the rate of inflation

As of 25 May 2018, the fees that data controllers pay to the ICO are changing.

A data controller is the legal person or body which determines the purposes and means of the processing of personal data.

Essentially this means that they are the person responsible for making decisions about why personal data is processed and how it is done in an organisation.

The ICO published its guidance on the data protection fee on 21 February 2018.

How much will I be required to pay under the new regime?

There will now be three tiers of fee which will be determined principally on your number of employees and annual turnover.

Turnover Numbers of Staff Fee
Tier 1 – Micro Organisation £632,000 10 £40
Tier 2 – Small and Medium Organisations £36 million 250 £60
Tier 3 – Large Organisations Above Tier 2 Above Tier 2 £2,900

Importantly, the ICO will regard all data controllers as Tier 3 unless you notify them and provide evidence that you fall within a different category – so if you do not fall within that tier then remember to inform the ICO immediately.

It will be large organisations that will feel the biggest impact of these changes; with a rise from £500 to £2,900 annually.

It has been acknowledged that this is an above-inflation increase however the government have argued that this higher fee is necessary to “reflect the increased level of information risk inherent in this category of data controllers”.

One thing to be mindful of is that the new fee does not need to be paid on 1 April 2018, rather it only needs to be paid when your existing notification fee expires. You will be contacted by the ICO before the expiry who will give further details of how to pay the fee.

Do I fall within an exception or exemption?

If you are a public authority, charity or small occupational pension scheme then a reduced fee is payable.

Further you do not need to pay a fee if you are processing personal data solely for staff administration, advertising or not for profit purposes.

What happens if I do not pay the fee?

If you do not pay the fee or fail to pay the correct fee the maximum penalty is a £4,350 fine. However, one positive is that with the new changes there will no longer be any criminal sanctions for failure to pay.

If you would like some further guidance or information on whether you fall within an exception or exemption feel free to get in touch with me at Daniel.Crayford@Forbessolicitors.co.uk or on 01254 222451. We offer a range of fixed fee GDPR support services and would be happy to discuss how we can assist you with your preparations for May 2018.

Dan Crayford

About Dan Crayford

Dan Crayford is a lawyer in the Corporate and Commercial Department at Forbes Solicitors. Dan provides updates for clients on a range of commercial and quasi-commercial issues including contracts, projects, procurement, governance, data protection and freedom of information, and charity law.
This entry was posted in GDPR and tagged , , .

Leave a Reply

Your email address will not be published. Required fields are marked *