02 October, 2018
Organisations who handle personal data in the course of their business have been handed a wake-up call by the Information Commissioner's Office (ICO) this month, with a number of fines being handed out for failures to pay the data protection fee.
On 26 September 2018, the ICO reported that it had begun formal enforcement action against 34 organisations that have failed to pay the new data protection fee. These organisations span across many sectors, including the NHS, recruitment, finance, government and accounting. What's more, the ICO has stated that more notices are currently being drafted and will be sent out in the immediate future.
These higher fees came into force from 25 May 2018, with the Data Protection (Charges and Information) Regulations 2018 requiring every organisation or sole trader who processes personal information (be that of its own employees, its customers, potential customers, or otherwise) to pay a data protection fee to the ICO, unless they are exempt.
The fees themselves are used to help finance the work of the ICO: investigation of data breaches; manning their advice line; offering guidance to organisations; as well as generally upholding individuals' personal data rights.
Concerning the notices, Paul Arnold (Deputy Chief Executive Officer at the ICO) said:
"We expect the notices we have issued to serve as a final demand to organisations and that they will pay before we proceed to a fine. But we will not hesitate to use our powers if necessary. All organisations that are required to pay the data protection fee must prioritise payment or risk getting a formal letter from us outlining enforcement action."
Failure to pay the data protection fee is now a civil offence under the GDPR and affected organisations have 21 days to respond, although if they pay the registration fee in that period then the action will stop.
The data protection fee is tiered, depending on the size of the organisation, as below:
Tier 1 - micro organisations. Maximum turnover of £632,000 or no more than ten members of staff. Fee: £40
Tier 2 - SMEs. Maximum turnover of £36million or no more than 250 members of staff. Fee: £60
Tier 3 - large organisations. Those not meeting the criteria of Tiers 1 or 2. Fee: £2,900.
For those who ignore the notices, the fines for non-compliance can be up to £4,350, taking into account any aggravating factors.
The switch over to GDPR and the current fee scheme should not immediately worry those previously registered as a data controller under the Data Protection Act 1998. If an organisation is currently registered the old act, i.e. registered before 25 May 2018, then the new fee will not have to be paid until this registration has expired. Those who paid their fee on 24 May 2018 can rightly feel smug!