As we are all aware, the GDPR implementation deadline of 25th May 2018 is fast approaching….. in fact it’s just over 15 weeks away. But were you also aware that the requirements for data controllers to register with the ICO, and the fees for registration are changing on 1st April 2018?
Under the current rules, organisations that process personal information are required to register (notify) with the ICO as data controllers. The notification includes explaining what personal data they collect and what they do with it. At the point of notification, the data controller is required to pay a fee, currently £35 per year for organisations with less than 249 employees, and £500 for all other organisations.
After 25th May 2018 there will no longer be a requirement to notify the ICO in the same way. Under GDPR, data controllers are to be accountable by maintain records and conducting assessments of processing activities.
However, there is a provision under the Digital Economy Act that means there is still a legal requirement for data controllers to pay the ICO a data protection fee. As with the notification fee now, the data protection fee will be used to fund the ICO’s data protection work as all money received in fines is passed directly back to the Treasury.
The Digital Economy Act paves the way for a new funding system. The new system will aim to make sure the fees are fair and reflect the relative risk of the organisation’s processing of personal data. The size of the fee will still be based on a organisations size and turnover, but will also consider the amount of personal data being processed.
The final fee structure will go live on 1st April 2018 but is likely to be a three-tier system:
Tier 1: annual fee of up to £55 applied to small and medium firms that do not process large volumes of data;
Tier 2: annual fee of up to £80 applied to small and medium firms that process large volumes of data;
Tier 3: annual fee of up to £1000 for large businesses;
And a direct marketing top-up fee of £20 Organisations that carry out electronic marketing activities as part of their business.
If your renewal is due prior to 1st April, then you will simply renew under the old system and the new structure will not affect you until your following renewal.
‘new data protection fee regime payments made during the 2017/18 financial year under the current system will run for a full year. This would mean that organisations which pay their annual notification fee at any point during this time will not need to pay the new fee until their notification under the old model would otherwise expire.’