The GDPR is now firmly embedded in UK law and since May 2018 there have been an increasing number of reports of investigations by the ICO into data breaches and inappropriate use of personal data by companies across the country.
It appears that the ICO’s current campaign is focused on raising awareness of the duty on businesses to register with the ICO and to pay an annual charge.
Under the old Data Protection Act regime, companies that processed information had to notify the ICO or register with them. There was no fee involved but the registration had to be renewed on a regular basis.
Under the new GDPR regime, organisations which are data controllers must now register with the ICO and pay a data protection fee unless they are exempt.
The fees fund the data protection work and are not particularly onerous for most companies. There are three tiers of fee based on the turnover of the business, the number of staff and the type of organisation.
– Tier 1 – Micro organisations. Businesses with a maximum turnover of £632,000 for the financial year or no more than 10 members of staff. The fee is £40
– Tier 2 – Small and medium organisations. Business with a maximum turnover of £36 million for the financial year or no more than 250 members of staff. The fee is £60.
– Tier 3 – Large organisations. Businesses which don’t meet the criteria for tier 1 or 2. The fee is £2,900.
The fee is an annual fee so must be paid each year.
If a business fails to register with the ICO and give information about the business, the ICO will presume that the company has to pay a fee in tier 3, i.e. £2,900. It is therefore vital to register the business to guarantee the smaller fee.
The ICO also has the power to fine businesses which don’t comply and the fine can be up to £4,000.
There are exemptions to the fees in certain limited circumstances. These cover businesses which only process personal data for staff administration, advertising, marketing and public relations, accounts and records, not-for-profit purposes, personal, family or household affairs, judicial functions, maintaining a public register or without the use of a computer. The nature of the rules is complex and before relying on this exemption we would strongly recommend seeking advice to check your organisation’s position.
We strongly recommend all companies check they are meeting their obligations to the ICO and pay any fee that is due before the ICO come knocking.
The ICO has a self-assessment tool on their website. The tool is easy to use and registration and payment can be made directly through it to the ICO.
If you have any questions about whether or not your business must pay the data protection fee or any other queries about GDPR in an employment context, please don’t hesitate to contact Charlotte Farrell.