ICO issues guidance on new data protection fee

Out-Law News | 22 Feb 2018 | 10:20 am | 1 min. read

Organisations responsible for how personal data is handled will be obliged to pay up to £2,900 each year to fund the monitoring of compliance and enforcement of data protection law in the UK from 25 May, under plans outlined by the Information Commissioner's Office (ICO).

The 'data protection fee' will be set at a rate of £40 for micro organisations, £60 for small and medium organisations, and £2,900 for large organisations. The fee will be payable by all data controllers operating in the UK, unless an exemption applies.

The ICO has published guidance (17-page / 222KB PDF) to help organisations understand more about the new fees regime, including which exemptions could apply to them. It cautioned that its guidance is based on draft regulations which have still to be approved by the UK parliament, but said it had decided to publish its guidance "to help data controllers prepare for what government is proposing".

"You don’t need to pay a fee if you are processing personal data only for one (or more) of the following purposes: staff administration; advertising, marketing and public relations; accounts and records; not-for-profit purposes; personal, family or household affairs; maintaining a public register; judicial functions; processing personal information without an automated system such as a computer," the ICO said.

A series of questions has been set out by the watchdog in its guidance to help businesses understand whether any of the exemptions apply to their circumstances.

The data protection fee is provided for under the draft Data Protection (Charges and Information) Regulations 2018. Those UK laws have not yet been finalised, but it is planned that they will be introduced to coincide with the EU's General Data Protection Regulation (GDPR) taking effect.

The new fee will replace the current notification fee that businesses must pay when registering their data processing arrangements with the ICO under the current Data Protection Act. That notification requirement will no longer apply under the GDPR.

The ICO said that businesses will not need to pay the new data protection fee until their "current registration expires".

"Under the 2018 Regulations, organisations that determine the purpose for which personal data is processed (controllers) must pay the ICO a data protection fee unless they are exempt," the watchdog said in its guidance. "These fees fund our data protection work, which includes our work under the General Data Protection Regulation (GDPR) and the Data Protection Act (DPA)."

"The new data protection fee replaces the requirement to ‘notify’ (or register), which is in the Data Protection Act 1998. We have the power to enforce the 2018 Regulations and to serve monetary penalties on those who refuse to pay their data protection fee. Although the 2018 Regulations come into effect on 25 May 2018, this doesn’t mean everyone has to pay the new fee on that date. Controllers who have a current registration (or notification) under the 1998 Act do not have to pay the new fee until that registration has expired," it said.