It is often said that the GDPR is an evolution, not a revolution for data protection. Last week this adage rang true, when the Government put new draft Regulations before Parliament requiring data controllers to pay an annual charge to the Information Commissioner's Office (the "ICO"). Under the current Data Protection Act 1998 (the "DPA") organisations who are data controllers must register with the ICO unless an exemption applies. The ICO currently has approximately 50,000 organisations registered as data controllers. The current registration fee is either £35 or £500, depending on the size and turnover of the organisation.
When the GDPR becomes applicable on 25 May 2018 it abolishes the requirement for data controllers to register with their relevant supervisory authority (in the UK, the ICO). Recital 89 of the GDPR confirms that the intention of abolishing the registration requirement is to remove the administrative and financial burden on data controllers. The GDPR also makes it clear that supervisory authorities must be provided with the necessary resources (including financial) to carry out their functions. In the UK, the Government has decided that data controllers will still be required to pay a fee to the ICO, unless an exemption applies. This is good news for the ICO as it helps ensure the necessary funding to carry out its functions under the GDPR.
Data Protection Fee
On 20 February 2018, the draft Data Protection (Charges and Information) Regulations 2018 (the "Regulations") were put before Parliament. They set out a three tier fee structure. It is important to remember that the legislation is going through the legislative process, so there is a possibility that it will change.
- Tier one – micro organisations. A data controller is in tier one if it has a maximum turnover of £632,000, has a maximum of 10 employees, is a charity or is a small occupational pension scheme. The tier one fee is £40.
- Tier two – small and medium organisations. A data controller is in tier two if it is not in tier one and if it has either a maximum turnover of £36 million or a maximum of 250 employees. The tier two fee is £60.
- Tier three – large organisations. Data controllers not in tiers one or two. The tier three fee is £2,900.
- Public authorities do not need to consider turnover when determining their tier, only the number of employees.
- There is a £5.00 reduction to the fee in all tiers if the payment is made by direct debit.
The Department for Digital, Culture, Media and Sport conducted a closed consultation on fees which proposed a similar three tier structure. However, the fees in the draft Regulations have increased substantially from the Government's initial fee proposal.
The fees appear to be based on turnover and size rather than the risk posed by the processing of personal data. There may be a correlation between size and risk but not necessarily; what about smaller organisations that process special categories of personal data?
Under the current law it is a criminal offence if an organisation fails to register with the ICO. Under the new regime there will be financial penalties for those who do not pay a fee or have not paid the correct fee. Penalties can be up to £4,350.
The draft Regulations put the responsibility on data controllers to determine if they must pay a fee, and if so, which tier is applicable to them. If an organisation is currently registered under the DPA the new fee isn’t payable until the current registration expires. According to ICO guidance published last week, if the registration has recently expired the ICO will assume the organisation falls into tier three unless they are notified otherwise.
When paying the relevant fee data controllers will also have to provide information including their contact details, number of employees, turnover and the contact details of the person handling the fee, another relevant representative and if applicable the data protection officer.
The ICO intends to publish an online self-assessment tool to help organisations determine which fee applies to them. Given the exemptions available perhaps it will help determine whether any fee is payable. The Government has recently announced its intention of undertaking a public consultation on the exemptions to payment. This consultation is currently planned for summer 2018.
As currently drafted the Regulations require data controllers to pay higher fees than are currently required under the DPA and still provide information to the ICO. As such, it is questionable whether the Government's new fee obligations alleviate the administrative and financial burdens on data controllers as envisioned in the GDPR.