The ICO recently issued formal enforcement notices to 34 organisations that had failed to pay their data protection fees. The fee is a new requirement under the Data Protection (Charges and Information) Regulations 2018 which came into force on 25 May 2018 to coincide with the General Data Protection Regulation (GDPR) and Data Protection Act 2018. Those who ignore the notices or refuse to pay may face a fine of up to £4,000, with the ICO having the power to increase the fine by up to a further £4,350 where there are aggravating factors.
It had previously been suggested, due to the ICO doing away with its notification requirement, that there would be no fee to pay. However, all organisations that process personal data must now pay a fee to the ICO unless they are exempt. The money is used to fund its data protection work and its new and expanded services, such as the ICO advice line.
The fee is priced over three tiers, ranging from £40 to £2,900. Organisations can use the ICO’s self-assessment tool to calculate how much they need to pay. Click here to view. Organisations with charitable status will always fall within tier 1 regardless of size or if they are a public authority.
The ICO has stated that more notices are in the drafting stage and will be issued shortly. Those receiving a notice will have 21 days to respond. If they pay the relevant fee, no further enforcement action will be taken.
If you have any questions about the new data protection fee or about data protection compliance generally, please contact Ryan Mitchell by email or by phone on 02380 482316.