The UK has announced plans to introduce a three tier Data Protection Fee, which will replace the current two tier system of registration for data controllers.
The new fee structure is set out in The Data Protection (Charges and Information) Regulations which are currently before parliament. They will come into force on 25 May 2018, which is the same date as the enforcement of the General Data Protection Regulation (“GDPR”). The Information Commissioners Office (“ICO”) has produced helpful guidance on the fees which can be found here (opens PDF document).
From 25 May 2018 controllers will be required to pay an annual data protection fee to the ICO, unless they fall within one of the exemptions set out below. The fees are split into three tiers depending on factors including staff numbers, turnover and whether the organisation is a charity or a public authority.
The tiers and fees are set out below:
- Tier 1: These are Micro Organisations with a Maximum turnover for the financial year of £632,000 or No more than 10 members of staff. The fee for Tier 1 is £40.
- Tier 2: These are Small and Medium Organisations with a Maximum turnover for the financial year of £36 million or no more than 250 members of staff. The fee for Tier 2 is £60
- Tier 3: These are Large Organisations who do not meet the criteria for Tiers 1 and 2. The fee for Tier 3 is £2,900.
Importantly, all controllers will be regarded as Tier 3 unless they tell the ICO otherwise.
The following should be noted in relation to the criteria:
- Turnover: For group companies, the turnover is that of each separate company.
- Members of staff: This is the average number of staff working during the financial year, to include employees, workers, office holders and partners and it includes part time staff.
- Public Authorities need only categorise based on turnover and not based on staff numbers.
- Charities and Small occupational pension schemes, if not otherwise exempt will pay the Tier 1 fee.
Where personal data is only being processed for one or more of the following purposes, there is no fee payable:
- Staff administration
- Advertising, marketing and public relations
- Accounts and records
- Not-for-profit purposes
- Personal, family or household affairs
- Maintaining a public register
- Judicial functions
- Processing personal information without an automated system such as a computer.
The maximum penalty for failure to pay a fee (or paying an incorrect fee) is £4,350, which will be imposed from 25 May 2018. Data controllers who have a current registration under the Data Protection Act will not be required to pay the new fee until their current registration expires, at which point they will be contacted by the ICO. Non-exempted data controllers that have not previously registered with the ICO and paid a fee, will need to do so. Registration prior to 25 May 2018 will be subject to the current fee structure.