As head of the commercial team Luisa has a wealth of commercial law experience and advises clients…View Profile View all
The current structure
Under the current regime, introduced by the Data Protection Act 1998 (DPA), data controllers processing personal data in the UK are required to ‘notify’ the Information Commissioner’s Office (ICO) and pay a registration fee of between £35-£500, based on their size.
So, what is going to change?
Data controllers will now be required to register and pay new fees every 12 months to fund the ICO’s data protection work. The new data protection fee of up to £2,900 per year will apply in the UK from 25 May 2018, simultaneously with the General Data Protection Regulation (GDPR).
How much will I have to pay?
The fees are:
Tier 1 (£40) (or £35 if paid by direct debit) – micro organisations with (i) maximum turnover of £632,000; or (ii) no more than ten members of staff;
Tier 2 (£60) – small and medium-sized enterprises with: (i) Maximum turnover of £36 million; or (ii) no more than 250 members of staff;
Tier 3 (£2,900) – large organisations. Those not meeting the criteria of Tiers 1 or 2.
I have already paid my fee under the DPA, will I have to pay twice?
If you have renewed or registered with the ICO before 25 May 2018 under the DPA, you will only need to pay the new data protection fee when the current pre-GDPR registration expires.
There are, as now, some organisations that can try and claim an exemption to notifying and paying the fee, such as if your organisation is only processing personal data for staff administration, for example.
Note: this is not an exemption to having to comply with the GDPR!
PENALTY CHARGE NOTICE: DO NOT IGNORE
Failure to not pay at all or pay the incorrect fee, is subject to a maximum penalty of £4,350 (150% of the Tier 3 payment).
For further information contact Luisa D’Alessandro on 0113 849 4057.