Skip to content
PromoVeritas
PromoVeritas
Contact Us
PromoVeritas
  • Home
  • About Us
  • What We Do and Why
  • Our Work
  • News
  • Join the Team
  • Contact

GDPR UPDATE: Do you need to pay the ICO’s new Data Protection charges?

Abi Roman March 16, 2018

The government recently announced a shake-up in the way data controllers are charged to fund the Information Commissioner’s Office. Once the General Data Protection Regulation (GDPR) begins on 25th May 2018 it will herald a completely new regime which includes the way data protection is funded.

A draft of the requirements of the 2018 Regulations were laid before Parliament in February and in the meantime the ICO have produced guidance to give controllers as much time as possible to work out what fee, if any, they are likely to pay after 25th May. Under GDPR, organisations that determine the purposes for processing personal data – data controllers – must pay the ICO a data protection fee unless they are exempt. Controllers who already have a current registration don’t need to pay again until their current one expires.

Fees

There will be three tiers of funding based on several factors such as company size, status or turnover.
Tier 1 = £40 fee: Micro-organisations – Maximum turnover of £632k or no more than 10 members of staff
Tier 2 = £60 fee: SME organisations – Maximum turnover of £36m or no more than 260 members of staff
Tier 3 = £2,900 fee: Large organisations – if you don’t meet the criteria of 1 or 2 – the ICO will regard all organisations as eligible for Tier 3 unless they inform them otherwise.

Exemptions

If you are processing personal data for only one or more of the following purposes you don’t need to pay the fee;

  • Staff administration
  • Advertising, marketing and public relations
  • Accounts and records
  • Not-for-profit purposes
  • Personal, family or household affairs
  • Maintaining a public registerJudicial functions
  • Processing personal information without an automated system such as a computer

So, are you liable to pay the fee?

Work out if you must pay the ICO’s fee by answering these questions. A self-assessment tool is being created by the IC, but in the meantime if your answer is Yes to any of these questions you may be liable.

1. Are you processing personal data? This means any information on a person that can identify them such as name, address, an ID number, or factors such as physical, genetic, economic, cultural or social identity. Processing means any operation that is performed on this data such as collecting, recording, storing, using, disclosing etc.

2. Is any of your processing on a computer? If you don’t process any of your data via a computer there isn’t a fee. A computer includes all types of laptops, desktops, tablets and cloud-based computing. Even CCTV, telephone logging and smartphones are considered.

3. Are you a controller? A controller decides the purpose and means of the processing of personal data. You may be a ‘processor’ who processes the data on behalf of a controller. Only a controller is liable to pay the data protection fee.

4. Are you processing personal information for personal, family or household affairs? If you are an individual processing data for these reasons, and not for a commercial or professional activity you are exempt.

5. Are you processing personal data for any of the following;

  • Accounting & auditing
  • Administration of justice
  • Administration of membership records
  • Advertising, marketing and public relations for others*
  • Canvassing political support
  • Charities – including housing associations
  • Constituency casework
  • Credit referencing
  • Crime prevention and prosecution of offenders
  • Debt administration and factoring
  • Education – including schools
  • Emergency services – including ambulance and fire service
  • Health administration – includes pharmacies and dentists
  • Insolvency practices
  • Insurance administration
  • Journalism and media
  • Legal services
  • Leisure – includes airlines and TV stations
  • Loyalty cards
  • Mortgage/insurance broking
  • Pastoral care
  • Pensions administration
  • Private investigation
  • Property management
  • Provision of childcare – includes childminders
  • Provision of financial services
  • Recruitment
  • Research
  • Social media – includes networking sites and dating agencies
  • Software development – includes web hosting, design and IT support
  • Trading and sharing personal information
  • Training

* If this is for yourself then you don’t pay the fee.

If the answer is yes to any of these, you must pay the data protection fee unless you are a not-for-profit organisation. This list is not exhaustive, it is just the organisations who typically must pay.

6. Are you only processing personal data to maintain a public register? If you are then you are exempt.

7. Are you a not-for-profit? If your organisation does not operate for profit you don’t pay the fees. However, the exemption only applies if you are processing data to establish or maintain membership or providing activities for individuals who are members of the body or have regular contact with it. Also, to be exempt you need to only hold personal data of these kinds of individuals (members etc.) and only process it for these reasons.

8. Are you only processing data for ‘core business purposes’?
These are:
Staff Administration – pay, work management, appointments, personnel matters relating to past, existing and prospective members of staff including casual, temporary and volunteer workers
Advertising, marketing and public relations – the data must be of individuals who are past, existing or present customers or suppliers that you advertise your own goods and services to. If you sell or trade a list of your customers, you need to pay the fee.
Accounts and records – so records of purchases, sales and other transactions to ensure deliveries and services take place, or to make forecasts. The exemption specifically excludes information obtained from credit reference agencies. If you are providing accounting services, you are liable.


9. Judicial functions
– processing is exempt if carried out by or on behalf of a judge, and it is also for exercising judicial functions.


10. Certain disclosures
– if your processing falls into the category of disclosures for the following it is exempt from the fee;
⦁ Disclosures required by law or court order
⦁ Disclosures required for preventing or detecting a crime, collecting taxes, apprehending offenders
⦁ Disclosures connected to legal proceedings
⦁ Disclosures required for avoiding an infringement of Parliamentary privileges

If you are liable:

If you are liable you will need to register if you haven’t already. The ICO will assess your information and decide which tier you fall into. Then you can pay by Direct Debit (and receive a £5 discount), credit or debit card or by cheque.

If you don’t pay your fee

You will be breaking the law if you are a controller processing personal data without paying the correct fee. The maximum penalty is £4,350 which is 150% of the top tier fee.

If you need advice or support with GDPR compliance PromoVeritas can offer audits, training and practical help. Alternatively, why not come to our complimentary Breakfast Briefing on GDPR for Marketers on Wednesday 25th April at Langan’s Brasserie, London W1 where we will talk you through what brands and their agencies need to know before GDPR comes into play. To reserve a place or to find out more about our GDPR services contact info@promoveritas.com or call +44 203 325 6000.

Photo credit: Convert GDPR
« No more registrations for promotions in Argentina Facebook investigated by the ICO and US Congress for huge data breach »

Call us on 0203 325 6000 to find out how we can help your promotion

+44 (0)203 325 6000
info@promoveritas.com
  • Home
  • About Us
  • What We Do and Why
  • Our Work
  • News
  • Join the Team
  • Contact
Proud members of ISO-27001 Accredited Proud members of
Run it Right.
© 2023 PromoVeritas
Privacy Policy Terms of Service Website Terms & Conditions Cookies Policy
We use cookies on our website. All the cookies we use can be viewed using the Cookie Settings button. By clicking “ACCEPT” you consent to the use of all cookies. You cannot disable our essential cookies.
Do not sell my personal information.
Read More
ACCEPTCookie settings
Privacy & Cookies Policy

Privacy Overview

This website uses cookies to improve your experience while you navigate through the website. Out of these cookies, the cookies that are categorized as necessary are stored on your browser as they are essential for the working of basic functionalities of the website. We also use third-party cookies that help us analyze and understand how you use this website. These cookies will be stored in your browser only with your consent. You also have the option to opt-out of these cookies. But opting out of some of these cookies may have an effect on your browsing experience.
Essential
Always Enabled

Necessary cookies are absolutely essential for the website to function properly. This category only includes cookies that ensures basic functionalities and security features of the website. These cookies do not store any personal information.

CookieTypeDurationDescription
cookielawinfo-checkbox-necessary011 monthsThis cookie is set by GDPR Cookie Consent plugin. The cookies is used to store the user consent for the cookies in the category "Necessary".
cookielawinfo-checkbox-non-necessary011 monthsThis cookie is set by GDPR Cookie Consent plugin. The cookies is used to store the user consent for the cookies in the category "Non Necessary".
viewed_cookie_policy011 monthsThe cookie is set by the GDPR Cookie Consent plugin and is used to store whether or not user has consented to the use of cookies. It does not store any personal data.
Non Essential

Any cookies that may not be particularly necessary for the website to function and is used specifically to collect user personal data via analytics, ads, other embedded contents are termed as non-necessary cookies. It is mandatory to procure user consent prior to running these cookies on your website.

CookieTypeDurationDescription
_ga01 yearThis cookie is installed by Google Analytics. The cookie is used to calculate visitor, session, camapign data and keep track of site usage for the site's analytics report. The cookies store information anonymously and assigns a randoly generated number to identify unique visitors.
_gat_UA-15728851-301 minuteThis is a pattern type cookie set by Google Analytics, where the pattern element on the name contains the unique identity number of the account or website it relates to. It appears to be a variation of the _gat cookie which is used to limit the amount of data recorded by Google on high traffic volume websites.
_gid01 dayThis cookie is installed by Google Analytics. The cookie is used to store information of how visitors use a website and helps in creating an analytics report of how the wbsite is doing. The data collected including the number visitors, the source where they have come from, and the pages viisted in an anonymous form.
bcookie01 yearThis cookie is set by linkedIn. The purpose of the cookie is to enable LinkedIn functionalities on the page.
bscookie11 year
csrftoken011 monthsThis cookie is associated with Django web development platform for python. Used to help protect the website against Cross-Site Request Forgery attacks
GPS030 minutesThis cookie is set by Youtube and registers a unique ID for tracking users based on their geographical location
IDE11 yearUsed by Google DoubleClick and stores information about how the user uses the website and any other advertisement before visiting the website. This is used to present users with ads that are relevant to them according to the user profile.
ig_did11 year
ig_nrcb01 year
lang0This cookie is used to store the language preferences of a user to serve up content in that stored language the next time user visit the website.
li_sugr02 months
lidc01 dayThis cookie is set by LinkedIn and used for routing.
lissc01 year
mid01 yearThe cookie is set by Instagram. The cookie is used to distinguish users and to show relevant content, for better user experience and security.
test_cookie011 months
u02 months
UserMatchHistory01 month
VISITOR_INFO1_LIVE15 monthsThis cookie is set by Youtube. Used to track the information of the embedded YouTube videos on a website.
YSC1This cookies is set by Youtube and is used to track the views of embedded videos.
Save & Accept