The new charging structure for data controllers to fund the work of the Information Commissioner’s Office will see large companies shoulder most of the burden with a 600% increase in fees to just under £3,000, although SMEs and micro-businesses will not pay as much as originally planned.
The new structure was laid before Parliament yesterday (February 20) as a Statutory Instrument and will come into effect on May 25, to coincide with GDPR.
The ICO has been quick to point out, however, that until then, organisations are legally required to pay the current notification fee, unless they are exempt. Businesses which renew or register before May 25 will not have to pay the new fees for 12 months.
The ICO’s data protection work is currently funded through fees levied on organisations that process personal data, unless they are exempt. This is done under powers granted in the Data Protection Act 1998. When GDPR comes into effect, it will remove the requirement for data controllers to pay the ICO a fee.
The Government, which has a statutory duty to ensure the ICO is adequately funded, has proposed the new funding structure based on the relative risk to the data that an organisation processes.
As originally revealed, the model is divided into three tiers and is based on a number of factors including size, turnover and whether an organisation is a public authority or charity.
For very small organisations, the fee will not be any higher than the £35 they currently pay as long as they pay by direct debit. This was originally going to rise to £55. SMEs will pay £60, again less than the proposed £80.
Larger organisations will be required to pay £2,900. The ICO says this fee is higher because these organisations are likely to hold and process the largest volumes of data, and therefore represent a greater level of risk.
The proposal to charge a £20 direct marketing top-up fee for all organisations that carry out electronic marketing activities has been dropped. However, there will continue to be financial penalties for not paying fees, but these will be civil monetary penalties rather than a criminal sanction.
The fees are:
Tier 1 – Micro organisations. Maximum turnover of £632,000 or no more than ten members of staff. Fee: £40 (or £35 if paid by direct debit)
Tier 2 – SMEs. Maximum turnover of £36million or no more than 250 members of staff. Fee: £60
Tier 3 – Large organisations. Those not meeting the criteria of Tiers 1 or 2. Fee: £2,900
The ICO has published a guide to the new charges for data controllers on its website>
To leave a comment please register – it takes less than a minute and is free of charge. You will also get our weekly email update The DM Report (to opt out contact firstname.lastname@example.org). If you are an existing user, please log in. If you have forgotten your log-in details please email email@example.com to get them reset!