A draft of the requirements of the 2018 Regulations were laid before Parliament in February and in the meantime the ICO have produced guidance to give controllers as much time as possible to work out what fee, if any, they are likely to pay after 25th May. Under GDPR, organisations that determine the purposes for processing personal data – data controllers – must pay the ICO a data protection fee unless they are exempt. Controllers who already have a current registration don’t need to pay again until their current one expires.
There will be three tiers of funding based on several factors such as company size, status or turnover.
Tier 1 = £40 fee: Micro-organisations – Maximum turnover of £632k or no more than 10 members of staff
Tier 2 = £60 fee: SME organisations – Maximum turnover of £36m or no more than 260 members of staff
Tier 3 = £2,900 fee: Large organisations – if you don’t meet the criteria of 1 or 2 – the ICO will regard all organisations as eligible for Tier 3 unless they inform them otherwise.
If you are processing personal data for only one or more of the following purposes you don’t need to pay the fee;
Work out if you must pay the ICO’s fee by answering these questions. A self-assessment tool is being created by the IC, but in the meantime if your answer is Yes to any of these questions you may be liable.
1. Are you processing personal data? This means any information on a person that can identify them such as name, address, an ID number, or factors such as physical, genetic, economic, cultural or social identity. Processing means any operation that is performed on this data such as collecting, recording, storing, using, disclosing etc.
2. Is any of your processing on a computer? If you don’t process any of your data via a computer there isn’t a fee. A computer includes all types of laptops, desktops, tablets and cloud-based computing. Even CCTV, telephone logging and smartphones are considered.
3. Are you a controller? A controller decides the purpose and means of the processing of personal data. You may be a ‘processor’ who processes the data on behalf of a controller. Only a controller is liable to pay the data protection fee.
4. Are you processing personal information for personal, family or household affairs? If you are an individual processing data for these reasons, and not for a commercial or professional activity you are exempt.
5. Are you processing personal data for any of the following;
* If this is for yourself then you don’t pay the fee.
If the answer is yes to any of these, you must pay the data protection fee unless you are a not-for-profit organisation. This list is not exhaustive, it is just the organisations who typically must pay.
6. Are you only processing personal data to maintain a public register? If you are then you are exempt.
7. Are you a not-for-profit? If your organisation does not operate for profit you don’t pay the fees. However, the exemption only applies if you are processing data to establish or maintain membership or providing activities for individuals who are members of the body or have regular contact with it. Also, to be exempt you need to only hold personal data of these kinds of individuals (members etc.) and only process it for these reasons.
8. Are you only processing data for ‘core business purposes’?
Staff Administration – pay, work management, appointments, personnel matters relating to past, existing and prospective members of staff including casual, temporary and volunteer workers
Advertising, marketing and public relations – the data must be of individuals who are past, existing or present customers or suppliers that you advertise your own goods and services to. If you sell or trade a list of your customers, you need to pay the fee.
Accounts and records – so records of purchases, sales and other transactions to ensure deliveries and services take place, or to make forecasts. The exemption specifically excludes information obtained from credit reference agencies. If you are providing accounting services, you are liable.
9. Judicial functions – processing is exempt if carried out by or on behalf of a judge, and it is also for exercising judicial functions.
10. Certain disclosures – if your processing falls into the category of disclosures for the following it is exempt from the fee;
⦁ Disclosures required by law or court order
⦁ Disclosures required for preventing or detecting a crime, collecting taxes, apprehending offenders
⦁ Disclosures connected to legal proceedings
⦁ Disclosures required for avoiding an infringement of Parliamentary privileges
If you are liable you will need to register if you haven’t already. The ICO will assess your information and decide which tier you fall into. Then you can pay by Direct Debit (and receive a £5 discount), credit or debit card or by cheque.
You will be breaking the law if you are a controller processing personal data without paying the correct fee. The maximum penalty is £4,350 which is 150% of the top tier fee.