The Government is planning a major overhaul of who is exempt from paying data protection fees to fund the work of the Information Commissioner’s Office under GDPR, in a move which could lead to more organisations being forced to cough up.
Under the new three-tier structure – unveiled earlier this year and now in force – large companies shoulder most of the burden with a 600% increase in fees to just under £3,000. For very small organisations, the fee will not be any higher than the £35 they currently pay as long as they pay by direct debit, while SMEs will pay £60.
The Government says the consultation will help the Department for Digital, Culture, Media & Sport (DCMS) decide whether any existing exemptions should be removed and whether any new exemptions should be introduced.
The impact of any changes on the ICO’s resources will be given due consideration, it claims.
Currently, the regulations provide exemptions from paying charges for people and organisations that process personal data only for one or more of ‘core business purposes’, including staff administration (and payroll); advertising, marketing and PR (in connection with their own business activity); and accounts and records (except in relation to processing of personal data by or obtained from a credit reference agency).
Other exemptions include processing for the purposes of judicial functions; and personal, family or household affairs (including recreational purposes).
In addition some not for profit organisations are also exempt, as are data controllers processing personal data only for maintaining a public register (such as the Electoral Roll), and data controllers who do not process personal data by automated means.
Others are not full exemptions but are automatically classified as being required to pay the Tier 1 fee (£40). These include small occupational pension schemes and charities.
However, the consultation document states: “Given that most of the exemptions date back many years, and to a time when digital processing of personal data was not undertaken on anything near the scale it is today, the Government considers that there is merit in reviewing the exemptions to ensure that they are still appropriate to the current time, and fit for the digital age.
“We are aware too that there is appetite from stakeholders to review the exemptions. In the consultation, we are asking stakeholders to look at each exemption and state whether they think it should be retained or not, and their reason(s) for their response.”
Under GDPR, individual local councillors will each have to pay £40 to the ICO if they use an electronic medium – such as a smartphone or a computer – to process personal data, such as the contact number of a constituent they are assisting with an issue.
The document adds: “We have also asked for respondents to state whether they consider exemptions should be provided for elected representatives and members of the House of Lords. Additionally, we have invited respondents to detail any other data controllers or processing that they consider appropriate for an exemption.”
The consultation closes at 4pm on August 1.
Big firms shoulder burden as new ICO fees are revealed
ICO stirs hornet’s nest with plans for huge rise in fees
ICO fees structure under wraps as GDPR D-Day looms
Businesses left in the dark over new ICO fees structure
GDPR zero hour: Now the hard work begins say experts
‘Inadequate’ Data Protection Bill is ‘already out of date’