On 20 February 2018, the UK government published changes to the funding of the ICO. The Information Commissioner’s Office (ICO) is an independent body which oversees compliance with data protection legislation in the UK.
On 25 May 2018 a new data protection scheme for businesses and organisations throughout the EU comes into effect – this is the General Data Protection Regulation (GDPR). The implementation of the GDPR takes away data controllers’ legal obligation to pay the ICO a fee. The government needs to ensure that the ICO is adequately funded and has proposed a new fee regime, in order to continue monitoring enforcement and compliance of data protection law in the UK.
The draft fees regulations still need to be approved by parliament. The new fee system replaces the existing fees that businesses pay when registering data processing procedures with the ICO.
Until that 25 May, organisations must register and pay the current notification fee to the ICO unless they are exempt. Businesses will not need to pay the new data protection fee until their current registration has expired.
Current ICO Fees
£40 (or £35 if paid by direct debit):
- Charities and small occupational pension schemes
- Organisations that have been in existence for less than one month
- Turnover of less than £25.9M and 249 staff or less
- Turnover of more than £25.9M and more than 249 staff
- Public authorities with more than 249 staff
Proposed ICO Fee Levels
Tier 1 – £40 – Micro Organisations:
- Charities and small occupational pension schemes;
- Cap of £632K turnover; or
- 10 members of staff
Tier 2 – £60 – Small and Medium Organisations:
- Cap of £36M turnover; or
- 250 members of staff
Tier 3 – £2,900:
- Any company that exceeds the caps in Tier 2
- £5 reduction for payments made via direct debit
- £4,350 fine for not registering
- The ICO will assume data controllers belong to Tier 3 unless they are informed to the contrary
Organisations whose processing only covers the following matters will not need to pay the new fees:
- Staff administration
- Advertising, marketing and public relations
- Accounts and records
- Not-for-profit purposes
- Personal, family or household affairs
- Maintaining a public register
- Judicial functions
- Processing personal information without an automated system such as a computer