ICO fee and registration changes next year

By Paul Arnold, Deputy Chief Executive.

ICO fee and registration changes next yearAs we count down to the General Data Protection Regulation (GDPR) taking effect next May, we wanted to clarify how the fees that data controllers have to pay to the ICO are changing.

Under the current Data Protection Act (DPA), organisations that process personal information are required to notify with the ICO as data controllers (unless an exemption applies). This involves explaining what personal data they collect and what they do with it. They are also required to pay us a notification fee, based on their size, of either £35 or £500.  These fees are used to fund most of the ICO’s work.

When the new data protection legislation comes into effect next year there will no longer be a requirement to notify the ICO in the same way. However, a provision in the Digital Economy Act means it will remain a legal requirement for data controllers to pay the ICO a data protection fee. These fees will be used to fund the ICO’s data protection work. As now, any money the ICO receives in fines will be passed directly back to the Government.

How much will data controllers have to pay?

The Digital Economy Act paves the way for a new funding system for the ICO. The amount of the data protection fee is being developed by the ICO’s sponsoring department, the Department for Digital, Culture, Media and Sport (DCMS) in consultation with the ICO and representatives of those likely to be affected by the change. The final fees will be approved by Parliament.

The new system will aim to make sure the fees are fair and reflect the relative risk of the organisation’s processing of personal data. The size of the data protection fee will still be based on the organisation’s size and turnover and will also take into account the amount of personal data it is processing.

The current draft proposal is a three tier system, which will differentiate between small and big organisations and also how much personal data an organisation is processing. The aim is to keep the system as simple as possible, so that organisations will easily be able to categorise themselves.

We expect to know more by the end of the year and will communicate to data controllers once we do.

When will the new data protection fee system start?

The new model will go live on 1 April 2018.

I’m due to renew shortly, should I still go ahead with this?

Organisations should continue to renew their notification as usual and it is still a criminal offence to not notify if an organisation needs to. Once we know more about the new fees, we will be telling all organisations about the changes and what they need to do. So, until the new fees come in, it is very much business as usual – so no excuses for not notifying!

I have recently renewed, will I have to pay again in April?

We expect that under the new data protection fee regime payments made during the 2017/18 financial year under the current system will run for a full year. This would mean that organisations which pay their annual notification fee at any point during this time will not need to pay the new fee until their notification under the old model would otherwise expire.

Will there still be exemptions under the new fee model?

Yes, what these exemptions will be has yet to be confirmed by DCMS but we expect them to be similar to those under the current regime.

I’m already registered with the ICO, how will I know when the system changes?

We will be informing people in the reminder paperwork we send them about renewal. Next year we’ll make clear to those due to renew from April that they will be under the new regime and we’ll include everything they need to know to make the process go smoothly.

Paul ArnoldPaul Arnold leads departments responsible for IT, Information Governance, Business Development and Change Management, Organisation Development and Customer Contact.

 

This entry was posted in Paul Arnold and tagged , , , , , . Bookmark the permalink.

24 Responses to ICO fee and registration changes next year

  1. Simon Ghent says:

    416,000 on the database. Over 5 million businesses. Would you call that a success or failure?

    How many successful cases did the ICO bring for not paying the £35 fee in the last financial year? Is the new fee structure designed for mass non compliance like the current one? When the ICO struggles with enforcing the DPA, PECR etc effectively what is to make us believe that you will enforce the new “fee” structure from April?

  2. Simon Clark says:

    Isn’t it extremely likely that the Digital Economy Act will be subsumed into the Data Protection Act 2017, rather than having two pieces of legislation? The whole point of the EU saying that GDPR would not require a registration or a fee process was to ensure as many organisations as possible get registered. For companies this is just the same, but GDPR bring into the net organisations like NGOs, charities, and the local sports club. Anywhere that holds a list of members is included. This all sounds very poorly thought out. Section 132 of the DPA 2017 Draft says that a fee ‘may’ be charged, not that it definitely will be. If the ICO got its’ costs from the fines it levied there would be no need for a charge, with the excess returning to the Government account.

    • Seth says:

      That would then create a perverse incentive for the ICO to levy as many fines as possible to ensure its income. The whole point of the current system is that the ICO only fines when appropriate rather than when its needs some cash.

      • Simon Clark says:

        If you think that there is any possibility that the ICO won’t have people to fine then you are much mistaken. From the hordes of unregistered businesses now who should be registered, through to those who fall foul of GDPR next year, there could easily be enough money coming in to cover their costs.

      • Emma says:

        Reply to Simon Clark: the ICO has never believed the right approach is to be funded by fines. As Seth says this would create a perverse incentive to enforce. The ICO’s annual report suggests that their staff costs alone were about £16 million. They probably need about £20 million a year to cover all their costs. Fees are the best and most secure way to fund this.

      • Simon Clark says:

        Yes but Emma, what you are failing to consider is that GDPR encompasses data privacy in a lot more places than the current DP legislation. Small groups, such as sports clubs, the WI, the church choir have never been bothered or covered before. The EU said there should be no fee with GDPR, but Section 132 of the DPA2017 Draft says fees may be levied. It’s a complete contradiction.

  3. Harry Ewins says:

    Fees that are based upon turnover do not reflect the ability of the organisation to afford to pay these registration fees. Will the exemptions take into account this factor?
    Isn’t it a pity that we hear about this proposed fees charging method initially through a LinkedIn post relating to a DCMS survey; not very much in the spirit of transparency or plans for the GDPR really is it?

  4. Steve says:

    Ah so, the skeptic in me thinks this is an opportunity for the ICO to raise their fees and use the GDPR as its excuse. Just another organisation profiting off new legislation. Oh and more ‘wait and see’. Thanks for that.

    • Emma says:

      You are mistaken that the ICO profits from legislation. The fees have always provided its income, with which it carries out its duties, including paying staff, paying rent and bills on its premises and all the other expenditure a normal business incurs. It doesn’t get funding from anywhere else.

  5. I have been told that the ICO have hired an additional 200 staff to pursue companies that fail to comply with GDPR. Has that recruitment drive been halted, given that most of the ICO income will now come from fees instead of fines?

    • Emma says:

      The ICO has never had any income from fines. It has never believed this is the right approach either. Companies paying fees is a much better system than government funding. Even if the Govt had the money (which it doesn’t), that compromises the ICO’s independence.

      • Simon Clark says:

        Strangely I don’t agree with you. This Government suddenly seems to be able to find money for all sorts of things.

  6. Sandra says:

    Will childminders get a reduced fee? I look after 5 part time children but still have to pay £35, the same amount as businesss with hundreds of employees. I hope your new fee scale takes a fairer account of number of employees, ie just 1.

    • Jayne Blount says:

      I agree Sandra. We have enough expenditure to the little amount of income we get as it is. I fear we will be hearing an increase though rather than a reduction 🙁

      • C Curtis says:

        Same here, I only Childmind one day a week so I really hope it doesn’t increase.

  7. Etta says:

    Hopefully there will not be too large an increase in the fee structure

  8. Addrian woodhead says:

    Why should residential homes have to pay to register CCTV when the police come knocking on the door to use for state purposes to detect crimes, VAT is already paid to the govt when purchased. This is massively unethical as we have to pay the state to register, who then get to use our systems for free.

  9. Paul Smith says:

    It is rather laughable to suggest that this is a clarification. Apart from suggesting that fees will rise, there is no useful information whatever in this release.

  10. Pingback: GDPR Friday Roundup – 6th Oct 2017 – The Data Guardians

  11. Jennifer says:

    Questions/ observations:
    -Whilst a grant is given by the Dep for culture, media and sport for FoI work, I don’t understand why funding for work done by the ICO under the DPA isn’t funded by some other government department?
    -For small businesses owners; would the fee not qualify as an expense that you claim against your tax under ‘financial costs’?
    -The DEA 17 covers: online infringement of copyright; public-service broadcasting and content; network infrastructure; and digital safety among other things so far too wide to then include into the DPA.
    -It does provide some clarity in part with regards to current renewals that would ordinarily cover a period beyond May 2018.

  12. Pingback: Some DP Updates - Panopticon Panopticon

  13. So, no surprise in this announcement, just a shame that once again organisations will have to wait for the exact detail until the end of the year, (as with other outstanding matters still under discussion with WP29).

    So, thank you for confirming the ‘gravy’ is on it’s way, we just have to wait to see what meat is provided to complete the meal.

    I have been training sole traders and SME’s in the transition from the DPA to the GDPR and specifically highlighted to them the fact that the ICO would need the funding confirming in order to be seen as remaining independent and to expect some other legislation to be used to ensure that is was found from somewhere.

    For many, it was their first insight into the data protection arena and based on feedback I have received I can tender my thoughts that the three tiers, may simply not be enough based on the criteria mentioned in the article above.

    The very first classification should be Type Of Business/Organisation, as this would assist most of those commenting above and perhaps indicate an answer on element of risk. It would may also give an indication as to ability to pay and source of funding that would provide funds for the same.

    Any risk factors could be mitigated against whether any data protection training had been received, best practice adopted in relation to cyber awareness etc.

    While the number of employees and turnover may have stood the test of time with the DPA, it’s hardly relevant to the breadth of personal data processing being undertaken today.

  14. Rick Hough says:

    There seems to be a worrying lack of information around for small clubs and societies. Bearing in mind that even a small fine could sink many of these organisations, some clear information or even a forum would be a great help.

    The risk of massive fines for non-compliance with GDPR is a major concern for lots of small organisations. I have even heard that some club and society leaders consider the risk of being responsible for data, and multi million Euro fines, so great they are ready to pack it all in and shut down the club.

    I am currently writing a new Privacy Policy and Data Protection information for my own site, a resource for small sports leagues, clubs, schools and societies, and seeking advice that may help them meet the demands of GDPR to negate the risk.

    If there was an ICO resource to which I could refer people, that would be a great help.

Leave a Reply