GDPR UPDATE: Do you need to pay the ICO’s new Data Protection charges?
The government recently announced a shake-up in the way data controllers are charged to fund the Information Commissioner’s Office. Once the General Data Protection Regulation (GDPR) begins on 25th May 2018 it will herald a completely new regime which includes the way data protection is funded.
A draft of the requirements of the 2018 Regulations were laid before Parliament in February and in the meantime the ICO have produced guidance to give controllers as much time as possible to work out what fee, if any, they are likely to pay after 25th May. Under GDPR, organisations that determine the purposes for processing personal data – data controllers – must pay the ICO a data protection fee unless they are exempt. Controllers who already have a current registration don’t need to pay again until their current one expires.
There will be three tiers of funding based on several factors such as company size, status or turnover.
Tier 1 = £40 fee: Micro-organisations – Maximum turnover of £632k or no more than 10 members of staff
Tier 2 = £60 fee: SME organisations – Maximum turnover of £36m or no more than 260 members of staff
Tier 3 = £2,900 fee: Large organisations – if you don’t meet the criteria of 1 or 2 – the ICO will regard all organisations as eligible for Tier 3 unless they inform them otherwise.
If you are processing personal data for only one or more of the following purposes you don’t need to pay the fee;
- Staff administration
- Advertising, marketing and public relations
- Accounts and records
- Not-for-profit purposes
- Personal, family or household affairs
- Maintaining a public registerJudicial functions
- Processing personal information without an automated system such as a computer
So, are you liable to pay the fee?
Work out if you must pay the ICO’s fee by answering these questions. A self-assessment tool is being created by the IC, but in the meantime if your answer is Yes to any of these questions you may be liable.
1. Are you processing personal data? This means any information on a person that can identify them such as name, address, an ID number, or factors such as physical, genetic, economic, cultural or social identity. Processing means any operation that is performed on this data such as collecting, recording, storing, using, disclosing etc.
2. Is any of your processing on a computer? If you don’t process any of your data via a computer there isn’t a fee. A computer includes all types of laptops, desktops, tablets and cloud-based computing. Even CCTV, telephone logging and smartphones are considered.
3. Are you a controller? A controller decides the purpose and means of the processing of personal data. You may be a ‘processor’ who processes the data on behalf of a controller. Only a controller is liable to pay the data protection fee.
4. Are you processing personal information for personal, family or household affairs? If you are an individual processing data for these reasons, and not for a commercial or professional activity you are exempt.
5. Are you processing personal data for any of the following;
- Accounting & auditing
- Administration of justice
- Administration of membership records
- Advertising, marketing and public relations for others*
- Canvassing political support
- Charities – including housing associations
- Constituency casework
- Credit referencing
- Crime prevention and prosecution of offenders
- Debt administration and factoring
- Education – including schools
- Emergency services – including ambulance and fire service
- Health administration – includes pharmacies and dentists
- Insolvency practices
- Insurance administration
- Journalism and media
- Legal services
- Leisure – includes airlines and TV stations
- Loyalty cards
- Mortgage/insurance broking
- Pastoral care
- Pensions administration
- Private investigation
- Property management
- Provision of childcare – includes childminders
- Provision of financial services
- Social media – includes networking sites and dating agencies
- Software development – includes web hosting, design and IT support
- Trading and sharing personal information
* If this is for yourself then you don’t pay the fee.
If the answer is yes to any of these, you must pay the data protection fee unless you are a not-for-profit organisation. This list is not exhaustive, it is just the organisations who typically must pay.
6. Are you only processing personal data to maintain a public register? If you are then you are exempt.
7. Are you a not-for-profit? If your organisation does not operate for profit you don’t pay the fees. However, the exemption only applies if you are processing data to establish or maintain membership or providing activities for individuals who are members of the body or have regular contact with it. Also, to be exempt you need to only hold personal data of these kinds of individuals (members etc.) and only process it for these reasons.
8. Are you only processing data for ‘core business purposes’?
Staff Administration – pay, work management, appointments, personnel matters relating to past, existing and prospective members of staff including casual, temporary and volunteer workers
Advertising, marketing and public relations – the data must be of individuals who are past, existing or present customers or suppliers that you advertise your own goods and services to. If you sell or trade a list of your customers, you need to pay the fee.
Accounts and records – so records of purchases, sales and other transactions to ensure deliveries and services take place, or to make forecasts. The exemption specifically excludes information obtained from credit reference agencies. If you are providing accounting services, you are liable.
9. Judicial functions – processing is exempt if carried out by or on behalf of a judge, and it is also for exercising judicial functions.
10. Certain disclosures – if your processing falls into the category of disclosures for the following it is exempt from the fee;
⦁ Disclosures required by law or court order
⦁ Disclosures required for preventing or detecting a crime, collecting taxes, apprehending offenders
⦁ Disclosures connected to legal proceedings
⦁ Disclosures required for avoiding an infringement of Parliamentary privileges
If you are liable:
If you are liable you will need to register if you haven’t already. The ICO will assess your information and decide which tier you fall into. Then you can pay by Direct Debit (and receive a £5 discount), credit or debit card or by cheque.
If you don’t pay your fee
You will be breaking the law if you are a controller processing personal data without paying the correct fee. The maximum penalty is £4,350 which is 150% of the top tier fee.