When the General Data Protection Regulation (GDPR) comes into effect in May next year it will not require organisations to notify the ICO about what data they hold or to pay notification fees. However, little will change in reality. A provision in the new Digital Economy Act 2017, which addresses policy issues relating to electronic communications infrastructure and services, means that notification and fees to the ICO will still be a legal requirement for data controllers after GDPR is enacted. What is more, the fees themselves are likely to increase.
Under the current Data Protection Act (DPA), organisations which process personal information must, as data controllers, notify the ICO about what personal data they collect and what they do with it (unless an exemption applies). They are also required to pay the ICO a notification fee. This is either £35 or £500, depending on size. These fees are currently used to fund most of the ICO’s work.
The Digital Economy Act 2017 paves the way for a new funding system for the ICO with the new model going live on 1 April 2018. As is currently the case, notification fees will be used to fund the ICO’s data protection work and any money the ICO receives in fines will be passed directly back to the Government.
What is still unknown is exactly what these fees will be, although we now have a clear indication of what is being considered. An update from the ICO on 31st October, confirms the range of fees which are currently being considered in consultation with the Department for Digital, Culture, Media and Sport. The draft proposal is for a three tier system, differentiating between small and big organisations and also how much personal data an organisation is processing. The aim is to keep the system as simple as possible, so that organisations will easily be able to categorise themselves.
- Tier 1: small and medium sized firms that do not process large volumes of data. Applies to those with a staff headcount of less than 250, turnover below £50m a year and fewer than 10,000 records processed. Annual fee up to £55.
- Tier 2: small and medium sized firms that process large volumes of data. Applies to those with a staff headcount of less than 250, turnover below £50m a year and more than 10,000 records processed. Annual fee up to £80.
- Tier 3: large firms. Applies to those with a staff headcount of more than 250 and turnover of more than £50m a year. Annual fee up to £1,000.
- Direct marketing top up: applies to organisations that carry out electronic marketing activities as part of their business. Top up fee £20.
Once approved by parliament, the ICO has undertaken to communicate the new fees to data controllers. In the meantime, organisations should continue to renew their notification as usual. It remains a criminal offence not to notify if an organisation is required to. Those who pay an annual notification fee will only need to pay the new fee once their existing notification, under the old model, expires. It is also expected that the exemptions will still operate and these are expected to be similar to those under the current regime.