14 March 2018
A new data protection registration fee of up to £2,900 per year will apply in the UK from 25 May 2018.
While the incoming General Data Protection Regulation (GDPR) does away with an annual notification requirement, it also increases the tasks which need to be carried out by Supervisory Authorities, all the while, doing away with the income they receive from notification fees. Recognising the need for increased revenue, the UK government has decided this will be partially funded by a new annual data protection fee which will replace the current notification fee.
The UK has published draft Regulations which set out the fees data controllers will be required to pay to the UK ICO, together with draft guidance from the ICO.
Data controllers will be required to pay the new fee of £40, £60 or £2,900 (depending on turnover and number of staff) on expiry of their current annual notification, or when registering for the first time any time after 25 May 2018. Exemptions similar to those under the current notification regime may apply.
While some information will need to be submitted with the annual fee, the current notification regime which requires details about the data processing, will no longer exist under the GDPR.
It is not entirely clear whether data controllers not based in the UK but processing UK personal data will have to register and there are ambiguities around the registration requirement in relation to cross-border controllers which will hopefully be addressed in the final version of the Regulations.
There are three tiers of fees: £40, £60 and £2,900. The fee payable will depend on how many members of staff an organisation has, its annual turnover, and whether or not it is a public authority, a charity or a small occupational pension scheme. Some data controllers will be exempt from registration fees.
Note that the ICO will regard all controllers registering for the first time (and not currently notified under the Data Protection Act 1998) as eligible to pay a Tier 3 fee unless and until it is told otherwise.
Who is a member of staff is broadly defined. It includes all employees (including part time), workers, office holders and partners, whether based in the UK, overseas or both. This total is calculated as an average number across the financial year.
If the data controller has been in existence for less than twelve months, the period of its existence. In any other case, the most recent financial year of the data controller that ended prior to the first day of the charge period in respect of which information is being provided or a charge is being paid. For Companies and LLPs, this is determined in accordance with the Companies Act and Companies Act as applied to LLPs respectively. For other organisations, it is the period covering twelve consecutive months over which a data controller determines income and expenditure.
Organisations processing personal data only for one or more of the following purposes will not have to pay a registration fee:
The ICO will publish a self-assessment tool before the Regulations come into effect. If an organisation is already registered under the 1998 Data Protection Act, the ICO will decide what Tier is applicable and organisations have the right to object. An organisation paying a fee for the first time will need to inform the ICO of its name, contact details, and which level of fee it thinks it will need to pay. A telephone line has been set up to take this information which can also be submitted online.
The ICO will collect the following information from all registrants:
Information which the ICO will publish will be limited to:
Failure to pay a fee or to pay the correct fee, is subject to a maximum penalty of £4,350 (150% of the Tier 3 payment).
Can employers monitor their workers, how and to what extent?