GDPR: The New ICO Fees Regime


25th May 2018, when the General Data Protection Regulation (GDPR) comes into force, will see the end of the current Notification regime under the Data Protection Act 1998.

Until recently, Data Controllers looked set to save a little money and the Information Commissioner’s Office (ICO) a lot of money. The ICO is currently funded partly from the annual Notification fees. In 2016 it collected more than 17 million pounds.

As predicted on this blog last year, the Government has now announced a new charging structure for Data Controllers to ensure the continued funding of the ICO. The Data Protection (Charges and Information) Regulations 2018 were laid before Parliament on 20th February 2018 and will come into effect on 25 May 2018, to coincide with the GDPR. The new regulations are made under a power contained in the Digital Economy Act 2017 (which is itself a controversial piece of legislation due to the wide ranging provisions about data sharing.) Data Processors do not have to pay any fee to the ICO but then many will be Data Controllers in their own right.

In summary there are three different tiers of fee and Data Controllers are expected to pay between £40 and £2,900 depending on the number of staff they employ and their annual turnover:

Tier 1 – Micro Organisations will pay £40

Applies to Data Controllers who have a maximum turnover of £632,000 for their financial year or no more than 10 members of staff.

Tier 2 – Small and Medium Organisations will pay £60

Applies to DataControllers who have a maximum turnover of £36 million for their financial year or no more than 250 members of staff.

Tier 3 – Large organisations will pay £2900

Applies to Data Controllers who do not meet the criteria for tier 1 or tier 2 above.

Data Controllers who currently have a registration (or notification) under the 1998 Act,  will not need to pay the new data protection fee until their registration expires. The ICO will write to them before this happens to explain what they need to do next. With regards to Data Controllers who are already registered, the ICO will decide what tier they come under based on the information it has but Controllers will always be able to challenge this. The good news is that Data Controllers choosing to pay the fee by direct debit, will receive an automatic discount of £5 at the point of payment. Every little helps!

The 2018 regulations make it clear that public authorities (e.g. councils) should categorise themselves according to staff numbers only. They do not need to take turnover into account. Furthermore, charities that are not otherwise subject to an exemption, will only be liable to pay the tier 1 fee, regardless of size or turnover.

A Data Controller processing personal data only for one or more of the following purposes is not required to pay a fee:

  • Staff administration
  • Advertising, marketing and public relations
  • Accounts and records
  • Not for profit purposes
  • Personal, family or household affairs
  • Maintaining a public register
  • Judicial functions
  • Processing personal information without an automated system such as a computer

To help Data Controllers understand the new fee regime, the ICO has produced a Guide to the Data Protection Fee.

STOP PRESS (25th May 218)

The Data Protection (Charges and Information) Regulations 2018  came into force today which give effect to the above.

Act Now can help you prepare for GDPR. Our 2018 course programme contains many more GDPR workshops and live webinars.

 Our GDPR Practitioner Certificate is proving very popular with those who need to get up to speed with GDPR as well as budding Data Protection Officers.  If you require these courses delivered at your premises, tailored to your needs, please get in touch.

Finally for frontline staff our one hour GDPR E Learning Course is ideal.