GDPR: The New ICO Fees Regime


25th May 2018, when the General Data Protection Regulation (GDPR) comes into force, will see the end of the current Notification regime under the Data Protection Act 1998.

Until recently, Data Controllers looked set to save a little money and the Information Commissioner’s Office (ICO) a lot of money. The ICO is currently funded partly from the annual Notification fees. In 2016 it collected more than 17 million pounds.

As predicted on this blog last year, the Government has now announced a new charging structure for Data Controllers to ensure the continued funding of the ICO. The Data Protection (Charges and Information) Regulations 2018 were laid before Parliament on 20th February 2018 and will come into effect on 25 May 2018, to coincide with the GDPR. The new regulations are made under a power contained in the Digital Economy Act 2017 (which is itself a controversial piece of legislation due to the wide ranging provisions about data sharing.) Data Processors do not have to pay any fee to the ICO but then many will be Data Controllers in their own right.

In summary there are three different tiers of fee and Data Controllers are expected to pay between £40 and £2,900 depending on the number of staff they employ and their annual turnover:

Tier 1 – Micro Organisations will pay £40

Applies to Data Controllers who have a maximum turnover of £632,000 for their financial year or no more than 10 members of staff.

Tier 2 – Small and Medium Organisations will pay £60

Applies to DataControllers who have a maximum turnover of £36 million for their financial year or no more than 250 members of staff.

Tier 3 – Large organisations will pay £2900

Applies to Data Controllers who do not meet the criteria for tier 1 or tier 2 above.

Data Controllers who currently have a registration (or notification) under the 1998 Act,  will not need to pay the new data protection fee until their registration expires. The ICO will write to them before this happens to explain what they need to do next. With regards to Data Controllers who are already registered, the ICO will decide what tier they come under based on the information it has but Controllers will always be able to challenge this. The good news is that Data Controllers choosing to pay the fee by direct debit, will receive an automatic discount of £5 at the point of payment. Every little helps!

The 2018 regulations make it clear that public authorities (e.g. councils) should categorise themselves according to staff numbers only. They do not need to take turnover into account. Furthermore, charities that are not otherwise subject to an exemption, will only be liable to pay the tier 1 fee, regardless of size or turnover.

A Data Controller processing personal data only for one or more of the following purposes is not required to pay a fee:

  • Staff administration
  • Advertising, marketing and public relations
  • Accounts and records
  • Not for profit purposes
  • Personal, family or household affairs
  • Maintaining a public register
  • Judicial functions
  • Processing personal information without an automated system such as a computer

To help Data Controllers understand the new fee regime, the ICO has produced a Guide to the Data Protection Fee.

STOP PRESS (25th May 218)

The Data Protection (Charges and Information) Regulations 2018  came into force today which give effect to the above.

Act Now can help you prepare for GDPR. Our 2018 course programme contains many more GDPR workshops and live webinars.

 Our GDPR Practitioner Certificate is proving very popular with those who need to get up to speed with GDPR as well as budding Data Protection Officers.  If you require these courses delivered at your premises, tailored to your needs, please get in touch.

Finally for frontline staff our one hour GDPR E Learning Course is ideal.

About actnowtraining

Act Now Training Ltd specialise in information law. We have been providing training and consultancy services globally for over 16 years. We have an extensive GDPR and FOI course programme from live and recorded webinars, accredited foundation through to higher level certificate courses delivered throughout the country or at your premises.
This entry was posted in Fees, GDPR, ICO, Information Security. Bookmark the permalink.

3 Responses to GDPR: The New ICO Fees Regime

  1. Victoria says:

    The regs don’t seem to state, would local authority councillors be considered micro organisations do you think?

  2. Pingback: The Data Protection Act 2018: A Summary | Blog Now

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s