|Of relevance to:||All firms processing personal data, including data controllers currently registered with the ICO|
|Key dates:||25 May 2018|
The General Data Protection Regulation (“GDPR”) removes the requirement for data controllers to register with the Information Commissioner’s Office (“ICO”). However, new UK regulations require all data controllers to provide certain information and pay an annual ICO fee to ensure its continued funding.
‘Data controller’ is defined in section 108(8) of the Digital Economy Act 2017 as a person who, alone or jointly with others, determines the purposes and means of the processing of personal data, and ‘personal data’ means any information relating to an identified or identifiable individual.
Under GDPR, data controllers must maintain their own internal data processing record.
However, in order to provide continued funding for the ICO’s activities, the Data Protection (Charges and Information) Regulations 2018 (Statutory Instrument 2018 No. 480) will come into effect at the same time as GDPR.
These Regulations set out the circumstances in which data controllers are required to provide information and pay a charge to the ICO from 25 May 2018, and replace the previous regime under the Data Protection (Notification and Notification Fees) Regulations 2000 (Statutory Instrument 2000 No. 188).
Data controllers must pay an annual ICO fee unless all the processing of personal data is exempt processing (see below).
Controllers who have a current registration (or notification) under the Data Protection Act 1998 do not have to pay the new fee until that registration has expired. A direct debit form will be sent with the renewal reminder. The fee is reduced by £5 for a data controller that makes payment by direct debit.
When paying the data protection fee, data controllers will need to tell the ICO:
- the name and address of the controller;
- the number of members of staff;
- the turnover for the latest financial year; and
- any other trading names.
The ICO will also ask for the names and contact details of the following people:
- the person completing the registration process;
- a relevant person in the organisation to contact on ICO matters, if this is different from the above; and
- the data protection officer (if you must have one under the GDPR), if this is different from the above.
The ICO Fee
Tier 1 – £40 – micro organisations
Maximum turnover of £632,000 for its financial year or no more than 10 members of staff.
- Charities that are not otherwise subject to an exemption will only be liable to pay the Tier 1 ICO fee, regardless of size or turnover.
- Small occupational pension schemes that are not otherwise subject to an exemption will only be liable to pay the Tier 1 fee, regardless of size or turnover.
Tier 2 – £60 – small and medium organisations
Maximum turnover of £36 million for its financial year or no more than 250 members of staff.
Tier 3 – £2,900 – large organisations
If neither Tier 1 nor Tier 2, organisations will have to pay the Tier 3 ICO fee.
As a default, the ICO regard all controllers as eligible to pay the Tier 3 fee unless and until they tell them otherwise.
Public authorities should categorise themselves according to staff numbers only.
Any organisation which is processing personal data only for one or more of the following activities will be fully exempt from the requirement to pay a fee:
- staff administration;
- advertising, marketing and public relations;
- accounts and records;
- not-for-profit organisation purposes;
- personal, family or household affairs;
- maintaining a public register;
- judicial functions; or
- processing personal information without an automated system such as a computer.
These exemptions are only in relation to payment of the fee – the entities involved still need to ensure they are complying with the other obligations set out in the Data Protection legislation in the UK, including GDPR.
These Regulations bind the Crown but don’t apply to Her Majesty in Her private capacity or in relation to the Duchy of Lancaster, or to the Duke of Cornwall.