by GDPR Associates | 5th October 2017 3:59 pm
As we count down to the General Data Protection Regulation (GDPR) taking effect next May, we wanted to clarify how the fees that data controllers have to pay to the ICO are changing.
Under the current Data Protection Act (DPA), organisations that process personal information are required to notify with the ICO as data controllers (unless an exemption applies). This involves explaining what personal data they collect and what they do with it. They are also required to pay us a notification fee, based on their size, of either £35 or £500. These fees are used to fund most of the ICO’s work.
When the new data protection legislation comes into effect next year there will no longer be a requirement to notify the ICO in the same way. However, a provision in the Digital Economy Act means it will remain a legal requirement for data controllers to pay the ICO a data protection fee. These fees will be used to fund the ICO’s data protection work. As now, any money the ICO receives in fines will be passed directly back to the Government.
The Digital Economy Act paves the way for a new funding system for the ICO. The amount of the data protection fee is being developed by the ICO’s sponsoring department, the Department for Digital, Culture, Media and Sport (DCMS) in consultation with the ICO and representatives of those likely to be affected by the change. The final fees will be approved by Parliament.
The new system will aim to make sure the fees are fair and reflect the relative risk of the organisation’s processing of personal data. The size of the data protection fee will still be based on the organisation’s size and turnover and will also take into account the amount of personal data it is processing.
The current draft proposal is a three tier system, which will differentiate between small and big organisations and also how much personal data an organisation is processing. The aim is to keep the system as simple as possible, so that organisations will easily be able to categorise themselves.
We expect to know more by the end of the year and will communicate to data controllers once we do.
The new model will go live on 1 April 2018.
Organisations should continue to renew their notification as usual and it is still a criminal offence to not notify if an organisation needs to. Once we know more about the new fees, we will be telling all organisations about the changes and what they need to do. So, until the new fees come in, it is very much business as usual – so no excuses for not notifying!
We expect that under the new data protection fee regime payments made during the 2017/18 financial year under the current system will run for a full year. This would mean that organisations which pay their annual notification fee at any point during this time will not need to pay the new fee until their notification under the old model would otherwise expire.
Yes, what these exemptions will be has yet to be confirmed by DCMS but we expect them to be similar to those under the current regime.
We will be informing people in the reminder paperwork we send them about renewal. Next year we’ll make clear to those due to renew from April that they will be under the new regime and we’ll include everything they need to know to make the process go smoothly.
Update 31/10/2017 – We are now able to share the fee ranges used by DCMS in their recent consultation about future ICO fees.
Direct marketing top up Organisations that carry out electronic marketing activities as part of their business.
Tier 1: annual fee of up to £55
Tier 2: annual fee of up to £80
Tier 3: annual fee of up to £1000
Direct marketing top up fee of £20
The consultation was carried out by DCMS through a third party, using organisations who had responded to previous ICO research. In 2015, the ICO used a third party to conduct initial research about its funding structure. The contractors of the survey were provided with a sample of 10% of the ICO’s register including all top fee payers and a random sample of lower fee payers. This equated to approximately 40,000 organisations, who were then contacted and around 2,000 responded. The sample for this consultation was the circa 2,000 organisations that responded to the previous research.
Just over 300 of these data controllers contributed to the latest consultation.
DCMS is now reflecting on the responses to the consultation before developing the fee regulations needed to underpin the ICO’s future funding arrangements.
The original article (and image) was originally posted here: https://iconewsblog.org.uk/2017/10/05/ico-fee-and-registration-changes-next-year/
Source URL: https://www.gdpr.associates/ico-fee-registration-changes-next-year/
Copyright ©2019 GDPR Associates unless otherwise noted.