27 September, 2018
On 26 September 2018, the ICO reported that it had begun formal enforcement action against 34 organisations that have failed to pay the new data protection fee. These organisations span across many sectors, including the NHS, recruitment, finance, government and accounting. Of note, the ICO has stated that more notices are currently being drafted and will be sent out in the immediate future.
Paul Arnold, Deputy Chief Executive Officer at the ICO, said:
"We expect the notices we have issued to serve as a final demand to organisations and that they will pay before we proceed to a fine. But we will not hesitate to use our powers if necessary. All organisations that are required to pay the data protection fee must prioritise payment or risk getting a formal letter from us outlining enforcement action."
Failure to pay the data protection fee is now a civil offence under the GDPR, previously this was a criminal offence under the Data Protection Act 1998. Affected organisations have 21 days to respond and if they pay the registration fee then the action will stop.
The data protection fee is tiered, depending on the size of your organisation, as below:
Tier 1 - micro organisations. Maximum turnover of £632,000 or no more than ten members of staff. Fee: £40
Tier 2 - SMEs. Maximum turnover of £36million or no more than 250 members of staff. Fee: £60
Tier 3 - large organisations. Those not meeting the criteria of Tiers 1 or 2. Fee: £2,900.
For those who ignore the notices, the fines for non-compliance are up to £4,350, taking into account any aggravating factors.
These enforcement notices should be a reminder to organisations of all sizes, and working in all areas, that they should be aware of their obligations under data protection legislation. The ICO's policy is to publish all notices that it issues, and so reputation damage will accompany the fine for not paying the data protection fee - don't let it be you!
Forbes Solicitors regularly advise a range of businesses on data protection law including compliance with the GDPR, DPA and PECR and preparing for the ePrivacy Regulation including providing training. We offer a range of fixed fee and retainer-based Data Protection Support services and would be happy to discuss how we can assist you with your preparations with the aim of helping to minimise the occurrence of breaches, and in the event of a breach help to mitigate any resulting risks. If you have any questions, please contact me on 01254 222451 or at firstname.lastname@example.org.