ICO guidance on data protection fees – notification is dead, long live registration

Charlotte Mullarkey

To coincide with the implementation of the General Data Protection Regulation (GDPR), the UK data protection authority, the Information Commissioner’s Office (the ICO) has issued guidance on the new proposed fee arrangement for the registration of data controllers in the UK. Assuming this proposal is approved by Parliament, the new ‘data protection fee’ will come into effect on 25 May 2018, until which time organisations are legally required to pay the current notification fee, unless exempt.

Current Structure

Under the current regime introduced by the Data Protection Act 1998 (DPA), data controllers processing personal data in the UK are required to ‘notify’ the ICO and pay a registration fee of between £35-500, unless exempt. The maximum fee of £500 is charged only if a data controller: (i) receives turnover equal to or exceeding £25.9 million and employs more than 249 members of staff; or (ii) is a public authority with more than 249 members of staff. According to the ICO, over 490,000 organisations are currently registered with the ICO (and listed on the Data Protection Public Register). This notification process requires provision of information, such as details of the types of personal data processed.

Data Protection Fee

Though the GDPR removes this formal requirement for data controllers to notify the ICO, the UK Digital Economy Act 2017 creates a legal requirement for data controllers processing data in the UK to pay the ICO a data protection fee.

The new data protection fee was laid before Parliament as a Statutory Instrument on 20 February 2018 and is divided into three banded tiers:

Tier 1 (Fee: £40, or £35 when paid by direct debit)small organisations with: (i) maximum turnover of £632,000; or (ii) no more than ten members of staff;

Tier 2 (Fee £60) – small and medium-sized enterprises with: (i) maximum turnover of £36 million; or (ii) no more than 250 members of staff; and

Tier 3 (Fee £2,900) – large organisations not meeting the criteria of either Tiers 1 or 2.

Exceptions – charities and small occupational pensions schemes not otherwise subject to an exemption are liable to pay only the Tier 1 fee (regardless of size or turnover), and public authorities need only to consider staff size (and not turnover).

As under the pre-GDPR regime, the registration fee to be paid by a data controller will be proportionate to the size, turnover, and the type of the organisation of the data controller. There are exemptions where the organisation only processes certain types of personal data (eg for staff administration). Registration will continue to remain valid for a 12-month period from the registration or renewal date (subject to receiving payment).

The maximum penalty for failing to pay the correct fee is a fine of £4,350.

ICO Funding

The proposed data protection fee provides for a new funding structure for the ICO, which is funded through the fees levied on organisations processing personal data.

The reformed funding structure (and increased fee for the registration of larger organisations) represents the UK Government’s acknowledgement that the GDPR will cause a significant growth in the ICO’s workload. However, it is unclear whether the changes will translate into increased registrations of companies at the ICO. There is a slight irony that in maintaining (and revising) registration fees in an attempt to raise sufficient resources for the ICO to monitor GDPR standards, the UK Government may have undermined somewhat the European Commission’s (largely unrealistic) expectation that the GDPR would “cut red tape”. On the plus side, there is much less information to provide.

Next Steps

Data controllers which have renewed or registered with the ICO before 25 May 2018 under the DPA will only need to pay the new data protection fee when the current pre-GDPR registration expires.

The ICO will inform data controllers registered under the pre-GDPR system when the expiry date(s) for their ICO registration(s) approach, along with a preliminary decision as to the relevant tier the ICO considers the data controller to be subject.

by Charlotte Mullarkey and Benjamin Scrace


Comments published on Digital Hub do not necessarily reflect the views of Allen & Overy.

Read comments below or add a comment

Leave a comment