If you're not registered with the ICO as a data controller, you might be breaking the law.
With GDPR now in effect, most businesses are aware of the responsibilities they hold in relation to personal data. But one element of the rules that hasn’t perhaps been widely publicised is that of the data protection fee, which requires many organisations to register with the ICO – or potentially face large fines. So what is the data protection fee, and is it actually a big deal?
GDPR Data Protection Fee
In plain terms, the data protection fee is a charge levied on organisations that process personal data. The fee is paid to the ICO and the proceeds go towards its work enforcing GDPR.
In terms of eligibility, a good starting point is the ICO's own words:
"Every organisation or sole trader who processes personal information needs to pay a data protection fee to the ICO, unless they are exempt."
We'll address those exemptions momentarily. If you're like majority of businesses and traders, you'll be required to pay the data protection fee on an annual basis. However, how much you have to pay depends where your business sits on a three-tier scale:
Tier 1: micro organisations. You have a maximum turnover of £632,000 for your financial year or no more than 10 members of staff. The fee for tier 1 is £40.
Tier 2: small and medium organisations. You have a maximum turnover of £36 million for your financial year or no more than 250 members of staff. The fee for tier 2 is £60.
Tier 3: large organisations. If you do not meet the criteria for tier 1 or tier 2, you have to pay the tier 3 fee of £2,900. (ICO website)
Importantly, if you don’t inform the ICO of your particular circumstances, then it will be assumed that you belong in tier 3, and you'll have to pay the highest data protection fee.
Data Protection Act Registration: A History Lesson
Long before GDRP and the data protection fee, many businesses were already required to register with the Information Commissioner's Office (ICO), as part of the Data Protection Act 1998.
According to the ICO's advice at the time, “The Data Protection Act 1998 requires every data controller (e.g. organisation, sole trader) who is processing personal information to register with the ICO, unless they are exempt."
Registration lasted for a year and usually cost £35. However, the cost could be higher for larger businesses and public authorities. As with the data protection fee, there were exceptions and exemptions.
What's particularly interesting, though, is the low number of registered organisations. Obviously, many, many more businesses should have been paying this registration fee. They just weren't. 🤷♀️
Who is Exempt From The Data Protection Fee?
As we stated earlier, the data protection fee has some exceptions and exemptions.
The exceptions are:
- Public authorities should categorise themselves according to staff numbers only. They do not need to take turnover into account.
- Charities that are not otherwise subject to an exemption will only be liable to pay the tier 1 fee, regardless of size or turnover.
- Small occupational pension schemes that are not otherwise subject to an exemption will only be liable to pay the tier 1 fee, regardless of size or turnover
And, according to the ICO, you are not required to pay the fee if you are processing personal data only for one or more of the following reasons:
- Staff administration
- Advertising, marketing and public relations
- Accounts and records
- Not-for-profit purposes
- Personal, family or household affairs
- Maintaining a public register
- Judicial functions
- Processing personal information without an automated system such as a computer
For the vast majority of businesses, these exceptions and exemptions will not apply, so the fee will have to be paid.
As you’d expect, there are once again fines for not paying the data protection fee or for paying the wrong one: 150% of the top tier fee, which translates as £4,350.
Why Should You Pay The Data Protection Fee
The most obvious reason to pay the data protection fee is because it’s a legal requirement (assuming you’re not exempt). Also, the fact GDPR exists at all suggests that data protection is being taken more seriously than it has in the past, and the ICO will be keen to prove it’s doing its job. As the Information Commissioner has said, fines are the last resort. But the data protection fee is going to be vital to the ICO if it’s to function properly. If businesses ignore the requirement en masse, the ICO could flex its muscles by making an example of some of them.
The question is: could your business take a hit like that, if you were singled out for punishment?
Finally, it's worth pointing out that the ICO does some important work that needs to be funded. If your business finds itself being bombarded by spammy sales calls, for example, you have someone to report this clear GDPR infringement to. That alone could be well worth the annual fee.
All organisations that process the personal data of EU residents need to be GDPR compliant. That includes protecting personal data with sufficient cyber security. TMB has many years of experience in this field, get in touch via our contact page, or email us at email@example.com.