The Information Commissioner’s Office is closing in on companies which process personal data but have failed to sign up to the Data Protection Register as the regulator ratchets up its assault on data protection fee dodgers who are threatening its funding.
The issue of non-payment is a big thorn in the side of the ICO as the fees fund most of the regulator’s work. Under the new three-tier structure – brought in under GDPR – large companies pay just under £3,000, while SMEs pay £60 and small organisations £35.
The ICO has forecast that it will receive £45.5m in fee income for the year to March 2020, although the bulk of this money is eaten up by staff costs of £38.7m. The Government funds the regulator to the tune of £4.6m a year.
However, according to the ICO’s latest monthly financial accounts, “underachievement of the data protection fee income” has meant the regulator has only met its fee income budget once in the past six months.
August saw the worst performance, coming in at £507,000 under budget with September showing a £370,000 deficit. Overall the regulator is running £1.3m behind budget for the year.
The document adds: “Plans are due for consideration by the Executive Team for a more ambitious fee income recovery programme for the remainder of the year. There is considerable work underway reviewing the Data Protection Register to identify and then contact the organisations and individuals that are legally obliged but have not yet registered.”
The crackdown on firms was first launched in September 2018, when the regulator revealed it had started enforcement action against 34 organisations for non-payment, but, within weeks, this had escalated to over 900 “notices of intent” being issued to fine fee dodgers.
In May this year, it named and shamed over 90 firms – including major brands Reckitt Benckiser, Coty UK, Prezzo, Caterpillar, Condé Nast and Ubisoft – for failing to cough up. And earlier this month, the ICO said it had dished out fines totalling £145,800 to 340 non-payers between July and September this year. However, these fines do not go to the ICO; they go back to the Treasury.
Even so, a new Freedom of Information request has revealed just how hard the ICO is gunning for non-payers, with the regulator actually issuing 6,603 notices of intent since May 2018, of which 4,980 have been complied with. Of these, 3,808 were paid and 1,172 were cancelled after the ICO received what it called “valid representations”.
In total, 829 penalty notices have been levied over unpaid fees, although 71 have logged appeals. Of these, 27 companies have had their penalty notices cancelled before their cases reached the First-Tier Tribunal, while 19 appeals have been heard and dismissed. Some 25 appeals remain to be heard.
ICO deputy chief executive Paul Arnold recently said: “You are breaking the law if you process personal data or are responsible for processing it and do not pay the data protection fee to the ICO. We produce lots of guidance for organisations on our website to help them decide whether they need to pay and how they can do this.”
340 fingered for failing to cough up data protection fee
Brands ‘have no excuse’ to ignore data protection fee
Top brands savaged for not paying data protection fee
Over 900 face fines for not paying data protection fees
ICO launches crackdown as firms fail to pay new fees
Big firms shoulder burden as new ICO fees are revealed
ICO stirs hornet’s nest with plans for huge rise in fees