Millions of UK companies are being targeted in a new offensive by the Information Commissioner’s Office to tackle data protection fee dodgers, which are threatening to stretch the regulator’s finances to the limit.
Last month, Decision Marketing revealed that the ICO had admitted there was “considerable work underway reviewing the Data Protection Register to identify and then contact the organisations and individuals that are legally obliged but have not yet registered”.
Now the regulator has said it is contacting all registered companies in the UK, reminding them of their legal responsibility to pay the fee, insisting the move marks the start of an “extensive programme” to make sure those who need to pay it actually cough up.
According to official statistics, there are 4.2 million companies registered in the UK, although whether the ICO has targeted firms which it believes are likely to handle personal data or it is simply blanket mailing the lot is not known.
The latest ICO management accounts reveal the regulator collected £4.095m in fees in October, against a budget of £4,161,000, the six consecutive budget deficit in the seven months since April. August saw the worst performance, coming in at £507,000 under budget; overall the regulator is running £1.3m behind budget for the year.
The regulator says that since the new annual data protection fee was introduced in May 2018, over 600,000 organisations have registered to pay it. However, it has issued 6,603 notices of intent to fine firms for non-payment since May 2018, of which 4,980 have been complied with. Of these, 3,808 were paid and 1,172 were cancelled after the ICO received what it called “valid representations”.
The latest ICO accounts also reveal that the regulator has been forced to go cap in hand to the Treasury to meet increased legal and professional services expenditure – currently running £673,000 over budget – which has been blamed on “litigation linked to fines”.
Exact details of which cases have cost the regulator so dearly have not been revealed, although 2019 has been a quiet year so far for fines, with only 13 penalties being handed out; this time last year 29 fines had already been issued.
However, there would be substantial costs from the first major GDPR rulings to come out of the ICO – the proposed fines against British Airways and Marriott International totalling £282m – which are still to be levied.
The document states: “Within the full year forecast there is additional income of £650,000 to cover litigation costs. With the significant legal costs involved in litigation linked to fines, the Department for Digital, Culture, Media & Sport are looking to partly offset these within a year. The ICO is currently in dialogue to agree a longer term model to recover the costs of litigation connected with issuing fines.”
The issue was first raised in the ICO’s annual report, published in April. The report warned: “A risk to ensuring the ICO has adequate resources is the increased risk of contentious, complex and lengthy legal proceedings which has already started with the Facebook appeal and is likely to continue with the size of the fines that can be assessed under GDPR and the Data Protection Act 2018.
“We are currently exploring options to mitigate this risk. These options include ring-fencing fine income specifically to fund litigation costs, additional grant in aid, deficit budgeting, use of reserves, or seeking awards of costs through court proceedings. A key piece of work for 2019-20 will be to identify the way forward in this area.”
Data protection fee dodgers face fresh ICO clampdown
ICO funding pays off but fears grow over huge legal bills
340 fingered for failing to cough up data protection fee
Brands ‘have no excuse’ to ignore data protection fee
Top brands savaged for not paying data protection fee