The Information Commissioner’s Office says it has sent over 900 “notices of intent” to fine companies who have failed to pay the new data protection fees – which came into force on GDPR D-Day May 25 – but has refused to name and shame them.
The regulator first revealed it was gunning for just 34 non-payers back in September. However, it now says over 900 have yet to pay, with more than 100 penalty notices being issued in this first round. It said that firms operating in business services, construction and finance sectors have now been fined.
Under the new three-tier structure – unveiled earlier this year – large companies shoulder most of the burden with a 600% increase in fees to just under £3,000. For very small organisations, the fee is £35 as long as they pay by direct debit, while SMEs pay £60.
All organisations, companies and sole traders that process personal data must pay an annual fee to the ICO unless they are exempt.
Fines range from £400 to £4,000 depending on the size and turnover of the organisation. Aggravating factors may lead to an increase in the fine up to a maximum of £4,350. All fines recovered do not go to the ICO, they go to the Treasury’s Consolidated Fund.
ICO deputy chief executive Paul Arnold said: “Following numerous attempts to collect the fees via our robust collection process, we are now left with no option but to issue fines to these organisations. They must now pay these fines within 28 days or risk further legal action.
“You are breaking the law if you process personal data or are responsible for processing it and do not pay the data protection fee to the ICO. We produce lots of guidance for organisations on our website to help them decide whether they need to pay and how they can do this.”
Related stories
ICO launches crackdown as firms fail to pay new fees
Big firms shoulder burden as new ICO fees are revealed
ICO stirs hornet’s nest with plans for huge rise in fees
