The Data Protection Fee – ICO fees under the GDPR
The obligation on controllers to pay a fee will remain in place following the implementation of the General Data Protection Regulation, the GDPR, on 25 May 2018. The fees act as the main source of funding for the UK’s data protection supervisory authority, the Information Commissioner’s Office (the ‘ICO’). The Government, which has a statutory duty to ensure the ICO is adequately funded, has proposed a new funding structure based on the relative risk to the data processed by organisations.
On 20 February 2018, the new fee structure was laid before Parliament as a Statutory Instrument and will come into effect on 25 May 2018 to coincide with the enforcement date of the GDPR. The new funding structure proposed by the Government has three tiers and is based on a number of factors including size, turnover and whether the organisation is a public authority or a charity. The fees are:
- Tier 1 – Micro organisations. Maximum turnover of £632,000 or no more than 10 members of staff. Fee: £40 (or £35 if paid by direct debit)
- Tier 2 – SMEs. Maximum turnover of £36 million or no more than 250 members of staff. Fee: £60
- Tier 3 – Large organisations. Those not meeting the criteria of Tiers 1 or 2. Fee: £2,900
There are certain exceptions for some controllers. For example, public authorities need not consider turnover, categorising themselves solely on staff numbers. In addition, charities and small occupational pension schemes, that not otherwise subject to an exemption, will only be liable for the tier 1 fee.
If a controller processing personal data or responsible for the processing of personal data fails to pay the required fee, or fails to pay the correct feet they will be considered to be breaking the law and may be subject to a financial penalty. The maximum penalty is a £4,350 fine, this is 150% of the tier 3 fee. The revenue raised by the imposition of fines will continue to be passed to the UK Government.
Until 25 May 2018, organisations are legally required to pay the current notification fee unless they are exempt. Controllers will not have to pay any other fee until their current notification fee has expired (12 months from the day they made it).
Article written by Bethany Bradley.