As we count down to the General Data Protection Regulation (GDPR) taking effect next May, we wanted to clarify how the fees that data controllers have to pay to the ICO are changing.
Under the current Data Protection Act (DPA), organisations that process personal information are required to notify with the ICO as data controllers (unless an exemption applies). This involves explaining what personal data they collect and what they do with it. They are also required to pay us a notification fee, based on their size, of either £35 or £500. These fees are used to fund most of the ICO’s work.
When the new data protection legislation comes into effect next year there will no longer be a requirement to notify the ICO in the same way. However, a provision in the Digital Economy Act means it will remain a legal requirement for data controllers to pay the ICO a data protection fee. These fees will be used to fund the ICO’s data protection work. As now, any money the ICO receives in fines will be passed directly back to the Government.
How much will data controllers have to pay?
The Digital Economy Act paves the way for a new funding system for the ICO. The amount of the data protection fee is being developed by the ICO’s sponsoring department, the Department for Digital, Culture, Media and Sport (DCMS) in consultation with the ICO and representatives of those likely to be affected by the change. The final fees will be approved by Parliament.
The new system will aim to make sure the fees are fair and reflect the relative risk of the organisation’s processing of personal data. The size of the data protection fee will still be based on the organisation’s size and turnover and will also take into account the amount of personal data it is processing.
The current draft proposal is a three tier system, which will differentiate between small and big organisations and also how much personal data an organisation is processing. The aim is to keep the system as simple as possible, so that organisations will easily be able to categorise themselves.
We expect to know more by the end of the year and will communicate to data controllers once we do.
When will the new data protection fee system start?
The new model will go live on 1 April 2018.
I’m due to renew shortly, should I still go ahead with this?
Organisations should continue to renew their notification as usual and it is still a criminal offence to not notify if an organisation needs to. Once we know more about the new fees, we will be telling all organisations about the changes and what they need to do. So, until the new fees come in, it is very much business as usual – so no excuses for not notifying!
I have recently renewed, will I have to pay again in April?
We expect that under the new data protection fee regime payments made during the 2017/18 financial year under the current system will run for a full year. This would mean that organisations which pay their annual notification fee at any point during this time will not need to pay the new fee until their notification under the old model would otherwise expire.
Will there still be exemptions under the new fee model?
Yes, what these exemptions will be has yet to be confirmed by DCMS but we expect them to be similar to those under the current regime.
I’m already registered with the ICO, how will I know when the system changes?
We will be informing people in the reminder paperwork we send them about renewal. Next year we’ll make clear to those due to renew from April that they will be under the new regime and we’ll include everything they need to know to make the process go smoothly.
GDPR Summit Series is a global series of GDPR events which will help businesses to prepare to meet the requirements of the GDPR ahead of May 2018 and beyond.
Further information and conference details are available at http://www.gdprsummit.london/