A question we’re hearing from all manner of organisations is, do I have to register with the ICO? Usually swiftly followed by, how much is it and how do I pay? The rules of registering have changed recently, but fortunately the new system is just as simple.
Data controllers previously had to notify the ICO of their data processing; and CCTV had to be registered, and both of these incurred an annual fee. These obligations have now been swept away, now all data controllers will pay a single data protection fee, between £40 and £2900 per annum, dependent on two very simple criteria: staff numbers and organisation turnover.
European laws oblige member states to set up their own data protection supervisory authority system. In the UK we have the Information Commissioner’s Office, who are to be partially funded by this new data protection fee.
On the 25 May, a piece of legislation called the Data Protection (Charges and Information) Regulations 2018 came into force alongside the Data Protection Act 2018 and the GDPR. This replaces the former requirement to notify or register with the ICO as a data controller. Now, data controllers must pay the ICO a data protection fee instead, unless they are exempt.
These exemptions are limited. Whether a micro-organisation or a large PLC, you should assume this fee is payable. Failure to pay the data protection fee could result in a fine of up to £4,350.
Not-for-profits, limited uses of data, and judicial processing are some of the exemptions to the fee. If your organisation is the data controller of personal data for staff administration purposes only, then you may not have to pay. Similarly, if you are a not-for-profit organisation, you are likely to be exempt.
The ICO has a simple self-assessment tool on their website, and newly issued guidance on the data protection fee, which explains how organisations can determine whether or not they are exempt. The new legislation also allows an exemption if none of your processing is carried out on a computer.
Regardless of the exemptions, if your organisation controls any CCTV, then you will need to pay the fee as data controller (where in the past CCTV had to be registered with the ICO), although this does exclude domestic use CCTV.
After considering the exemptions, if you have established that your organisation does have to pay the fee, you then need to consider which fee tier it falls into. The fee payable is tiered into:
- micro organisations – £40 – for organisations with a maximum annual turnover of £632,000, or no more than 10 employees
- small and medium organisations – £60 – for organisations with no more than 250 members of staff, or an annual turnover of up to £36m
- large organisations – £2,900 – for organisations with more than 250 staff or a turnover of more than £36m
Charities will only have to pay the first tier fee, regardless of staff numbers or turnover, as will small occupational pension schemes. Public authorities only need to consider the number of staff, and can disregard turnover. The ICO has also launched a self-assessment tool for determining how much your organisation will be liable to pay.
How to pay
If your organisation is already registered, the ICO will contact you before your current registration expires, to explain how to pay your fee under the new system. You won’t need to pay anything more until your current registration expires.
Recently expired registrations however are liable for a tier 3 fee until such a time as the organisation informs the ICO of their tier criteria otherwise. Organisations paying for the first time will need to contact the ICO to provide their details and set up their payment. Organisations can simply pay by cheque, credit card or direct debit and payment is due annually.
Full details of the data protection fee, the exemptions, and how to pay, along with the previously mentioned self-assessment tools, are all on ico.org.uk.
To learn more or for help with data protection, GDPR compliance or any IT legal issues, email [email protected] or call 0191 211 7777.