The Information Commissioner’s Office has admitted that it will not be able to tell companies how much they will have to pay to process personal data under GDPR until the end of the year at the earliest, leaving firms in the dark as many prepare their budgets for the new year.
In a blog post by ICO deputy chief executive Paul Arnold, the regulator insists it wants to “clarify how the fees that data controllers have to pay to the ICO are changing” yet fails to detail the most important fact – how much it will cost.
Under the current Data Protection Act, organisations that process personal information are required to notify with the ICO as data controllers and pay a notification fee, based on their size, of either £35 or £500. These fees are used to fund most of the ICO’s work, and bring in up to £15m a year.
However, once GDPR comes into force – in May next year – these fees will be scrapped, although under the Digital Economy Act it will remain a legal requirement for data controllers to pay the ICO a data protection fee. This will come into force on April 1 2018.
But according to the ICO’s 2013 estimate the increased workload from GDPR will cost over £26.8m, and Freedom of Information request funding has also been slashed, leaving a £42.8m black hole in the regulator’s finances. Given the complexity of GDPR, the ICO’s original estimate is likely to be conservative at best, with some claiming its could be well over £50m by May 2018.
Arnold states: “The amount of the data protection fee is being developed by the Department for Digital, Culture, Media and Sport (DCMS) in consultation with the ICO and representatives of those likely to be affected by the change. The final fees will be approved by Parliament.
“The new system will aim to make sure the fees are fair and reflect the relative risk of the organisation’s processing of personal data. The size of the data protection fee will still be based on the organisation’s size and turnover and will also take into account the amount of personal data it is processing.
“We expect to know more by the end of the year and will communicate to data controllers once we do.”
In the meantime, organisations must continue to renew their notification or face criminal action. Arnold adds: “We expect that under the new data protection fee regime payments made during the 2017/18 financial year under the current system will run for a full year. This would mean that organisations which pay their annual notification fee at any point during this time will not need to pay the new fee until their notification under the old model would otherwise expire.”
But one industry insider said: “As usual, businesses will be the last to know how much they will have to cough up. It is bad enough that the ICO’s GDPR guidance is virtually non-existent. But the fee structure has been discussed for over four years, surely they can at least give us a clue?”
Businesses left in the dark over new ICO fees structure
Lack of GDPR guidance fuels fears over bombardment
Charities call for Govt action to avoid GDPR meltdown
New industry body to tackle threat to outbound calling
ICO recruitment drive hit by scramble for GDPR experts
GDPR fuels major recruitment drive at UK businesses
70% of customers plan to demand to see their data
Firms face bombardment of data requests under GDPR
Half of all firms still not compliant with 1998 data laws