The Information Commissioner’s Office offensive to tackle data protection fee dodgers, which has seen the regulator rifle off letters to millions of UK businesses, has been branded “heavy handed” for its threatening language.
Late last year, Decision Marketing revealed the ICO planned to contact all registered companies in the UK, 4.2 million in total, to remind them of their legal responsibility to pay the data protection fee if they collect and manage customers’ personal data.
The campaign has been triggered by a shortfall in ICO funding, the majority of which is gathered through the new fee structure, implemented by GDPR and the UK Data Protection Act 2018. According to latest ICO management accounts, which date back to October last year, the regulator is running £1.3m behind budget for the year. Out of the seven months the ICO has been collecting the fee, it has only hit budget once; August saw the worst performance, coming in at £507,000 under budget.
But, according to a report in The Times, thousands of small business owners and landlords have been “alarmed” by the letters from the ICO, which say that they owe money.
Simon Rothenberg, a senior manager at tax and accounting advisory firm Blick Rothenberg, said that at least 100 of the company’s clients had received a letter at the beginning of December, with many criticising its “heavy-handed” approach; others even thought it was a scam.
The letter, signed by deputy chief executive ICO Paul Arnold, states: “Our records, based on information made available by Companies House, show that you are not registered with us. The Data Protection (Charges and Information) Regulations 2018 require every business that processes personal information to pay a data protection fee . . . Not paying when you should may result in being fined up to £4,000.”
The letter then goes on to advise businesses to let the regulator know “if you’re sure you don’t need to pay”, but says that there are not many circumstances where exemptions apply. Recipients of the letter are directed to the ICO website to verify the charge.
In the case of Blick Rothenberg clients, about half of the firms found that they did not have to pay, although of course this does mean that the other half did have to cough up.
Since the fee was introduced in May 2018, over 600,000 new organisations have registered to pay it. However, the ICO has dished out fines totalling £145,800 to 340 non-payers between July and September last year, including Norwegian Air UK.
The vast majority of defaulters (333 organisations) were issued with a £400 penalty, although three have had to cough up £600 and a further four were hit for £4,000.
In a recent blogpost, Arnold stated: “As well as naming most organisations we need to fine, we also publish the names of all fee-paying organisations. This helps them make it clear to their customers, clients and suppliers that they are aware of their legal obligations when processing personal information.
“We know data protection legislation can be complicated and we are here to help. The reminders we are sending to organisations are to help make it easy to comply with the law as well as access a great deal of advice and support available from the ICO.”
Millions of firms in firing line in data protection fee blitz
Data protection fee dodgers face fresh ICO clampdown
ICO funding pays off but fears grow over huge legal bills
340 fingered for failing to cough up data protection fee
Brands ‘have no excuse’ to ignore data protection fee
Top brands savaged for not paying data protection fee