What do you need to know to make sure you don’t fall foul of the ICO’s new data protection fee?
Before the Data Protection (Charges and Information) Regulations 2018 (the 2018 Regulations) were introduced, data controllers were required to ‘notify’ the Information Commissioner’s Office (the ICO) that they were processing personal information and had to register with the ICO to do so.
However, once the 2018 Regulations came into force alongside the Data Protection Act 2018 (DPA) and the General Data Protection Regulation (EU) 2016/679 (GDPR) every data controller was immediately eligible to pay a data protection fee unless they fall under one of the strictly defined exemptions.
If the new data protection fee is applicable and the organisation with the data has an unexpired registration with the ICO, there is no requirement to pay the data protection fee until that registration expires unless your organisation is completely exempt. You can find out if you are exempt by reviewing the guidance recently published by the ICO at: https://ico.org.uk/for-organisations/how-much-will-i-need-to-pay/.
How much will I have to pay?
If you are eligible to pay the data protection, the fee will depend on the size of your organisation:
- If you have a maximum turnover of £632,000 and/or no more than ten members of staff, the fee is £40
- If you have a maximum turnover of £36m and/or no more than 250 members of staff, the fee is £60
- If your turnover or headcount is larger, the fee will be £2,900
What happens if I don’t pay the data protection fee?
Organisations who fail to pay the data protection fee will be fined between £400 and £4,350 depending on their size and turnover. Failure to pay is also now a civil offence under GDPR.
And the ICO has acted quickly to illustrate these are not empty threats.
They issued their first fines in November 2018 – with the manufacturing and finance sectors amongst the first to be targeted – and since September 2018 more than 900 notices of intent to fine and more than 100 penalty notices have been issued by the ICO.
In December 2018 the ICO began formal enforcement action against care homes that failed to pay the data protection fee sending notices of its intent to fine those businesses and letting them know that if they didn’t pay, they could face fines of up to £600.
To turn the heat up further in April 2019 the ICO u-turned to reveal the names of organisations that have failed to pay the data protection fee despite receiving warning letters. These include some well-known names including NetApp, Jive Software and Prezzo. This now means that organisations who fail to pay the data protection fee now risk reputational damage in addition to the legal and financial penalties which is a strong message.
And recent case law suggests the Information Rights Tribunal is likely to side with the ICO. They issued their first ruling of an appeal against ICO fines, upholding the ICO’s initial decision against paint and wallpaper company Farrow & Ball. The ICO had fined Farrow & Ball £4,000 and the company appealed on the grounds that:
- The ICO had sent the payment reminder to a company representative who was on holiday at the time the letter was received
- The ICO should have issued a further reminder
- The ICO had written to the company secretary and this was not recognised as important internally
- Once the error was spotted by the company the ICO was contacted and paid immediately
The Tribunal however concluded that Farrow & Ball had not put forward a reasonable excuse for its failure to comply with the fee regulations before adding:
“…a reasonable data controller would have systems in place to comply with the Regulations…the Appellant has pointed to no particular difficulty or misfortune which explains its departure from the expected standards of a reasonable data controller”.
The Tribunal has taken the approach of “expected standards” whether those in control of the data have procedures in place to comply with the 2018 Regulations or not. This is likely to set a firm precedent as to the approach to be taken by the Tribunal in any future cases and sends a clear message to any companies that fail to pay the data protection fee.
If you would like to discuss your organisation’s position in relation to the data protection fee or any other aspect of GDPR please email firstname.lastname@example.org or call Carys on 0114 252 1485.