New Data Protection Fees of up to £2,900 Per Year Introduced to Pay ICO
The new regulations arrive in preparation for the GDPR on 25 May 2018.
New rules have been introduced requiring most data controllers to pay annual fees to the UK's information regulator, the Information Commissioner's Office. Under the Data Protection Act 1998, most data controllers have to notify (or register) the ICO unless they are exempt. The annual fee paid to do this is £35. Now, the Data Protection (Charges and Information) Regulations 2018 has been introduced to cover what happens from 25 May 2018 onwards, when the General Data Protection Regulation (GDPR) comes into force. Under the GDPR, there is no longer a need for controllers to notify or register, but the 2018 Regulations set new fees that must be paid. The fees will be used to fund the ICO's work.
There are three tiers for the fees to be paid.
Tier 1 is £40 and applies to any organisation that has a maximum annual turnover of £632,000 (although this turnover restriction does not apply to public authorities) or fewer than 10 members of staff. It also applies to all charities.
Tier 2 is £60 and applies to controllers that have a maximum annual turnover of £36 million or no more than 250 members of staff.
Tier 3 is £2,900 per year and applies to all other controllers. Everyone is deemed to be tier 3, unless they can prove otherwise.
The number of staff are calculated by adding up all full and part time employees, workers, office holders and partners, and is the average number during the year.
Exemptions
The charge applies to controllers rather than processor; and there are exemptions, so any controller that only processes personal data for the following purposes is exempt from paying any fee:
- Staff administration: This is processing for the purposes of appointments or removals, pay, discipline, superannuation, work management or other personnel matters concerning your staff.
- Advertising, marketing and public relations: This is processing to advertise or market your business activity, goods or services and promote public relations only in connection with that business of activity, or those goods and services. For this exemption to apply, you must meet all the following criteria:
- The individuals you hold information about are restricted to any person whose personal information you need to process for your own advertising.
- Marketing or public relations – for example past, existing or present customers or suppliers.
- Your information is restricted to information that is necessary for your advertising, marketing and public relations – for example, names, addresses and other identifiers.
- You advertise and market your own goods and services (rather than anyone else's).
- If you obtain personal information from a third party, it is still for the purpose of marketing your own goods and services.
- Accounts and records: This is processing to keep accounts relating to your business or other activity; including deciding whether to accept anyone as a customer or supplier; keeping records of purchases, sales or other transactions to ensure the relevant payments, deliveries or services take place; or making financial or management forecasts to help you carry out your business or activity. The individuals you hold information about must be restricted to anyone whose personal information needs to be processed for your accounts and records – for example past, existing or present customers or suppliers. The information you hold must be restricted to personal information that is necessary for your accounts and records – for example, name, address and credit card details. The exemption specifically excludes information processed by or obtained from credit reference agencies. The exemption does not apply to anyone providing accounting services for their clients.
- Not-for-profit purposes.
- Personal, family or household affairs.
- Maintaining a public register.
- Judicial functions.
- Processing personal information without an automated system such as a computer.
Not Exempt
Anyone processing personal data for any of the following purposes is not exempt:
- Accounting and auditing
- Administration of justice including police and probation boards
- Administration of membership association records
- Advertising, marketing and public relations for others
- Canvassing political support among the electorate
- Charities – including housing associations
- Constituency casework
- Consultancy and advisory services
- Credit referencing
- Crime prevention and prosecution of offenders, including non-domestic CCTV systems
- Debt administration and factoring
- Education – including schools
- Emergency services – including ambulance and fire service
- Health administration and provision of patient care, including medico legal, pharmacists, optometrists and dentists
- Insolvency practices
- Insurance administration
- Journalism and media
- Legal services
- Leisure – including airlines and TV/radio stations
- Loyalty cards
- Mortgage/insurance broking
- Pastoral care
- Pensions administration
- Personal data processed by or obtained from a credit reference agency
- Private investigation
- Property management, including the selling and/or letting of property
- Provision of childcare – including childminders
- Provision of financial services and advice
- Recruitment
- Research
- Social media - including networking sites or dating agencies
- Software development – including web hosting and design or IT support
- Trading and sharing in personal information
- Training
When Do the Fees Apply?
They apply annually, and the first payment applies from when your annual £35 payment under the Data Protection Act expires on or after 25 May 2018.
Publishable Information
The ICO will publish a register of controllers paying the fee, including the following details:
- The name and address of the controller
- The level of fee you have paid (that is, tier 1, tier 2 or tier 3)
- The date you paid the fee and when it is due to expire
- Any other trading names you have
- Contact details for your Data Protection Officer, if you have told the ICO you have one