In May 2018 the Data Protection Act 2018 introduced GDPR into UK law. One of the many changes it introduced was with regard to registration and fees. In this blog post we will explain how the new fee structure works and how it will impact your business.
Although the GDPR does not require registration (also known as notification) any more the ICO can charge a fee, and so it has set up a new fee regime/structure. The fee is only payable by data controllers unless they are exempt (the government is currently consulting on the proposed exemptions although it seems as if they will be the same as before).
There are now 3 tiers of fees based on turnover and staff numbers as follows:
- Tier 1: £40 –if you have a maximum turnover of £632,000 for your financial year or no more than 10 members of staff.
- Tier 2: £60 – maximum turnover of £36 million for your financial year or no more than 250 members of staff.
- Tier 3: £2,900 – everyone else
The ICO has stated that they will regard all controllers as eligible to pay the fee in tier 3 unless and until the Data Controller tells them otherwise meaning in reality every business that processes personal data will need to notify the ICO or be fined (the maximum fine for not paying the fee or for paying the incorrect fee is now £4,350).
The new fees are already in force, but if you were already registered and have already paid you won’t have to pay the new fee until you renew.
Aside from the level of the fee, the main difference between in the new rules is that data controllers no longer have to give details of the types of processing they do. Rather a data controller just needs to tell the ICO:
- The name and address of the controller
- Number of staff and turnover in the last financial year – as these will determine the fee level
- The name and contact details of the:
- The person completing the registration process.
- The relevant person for the ICO to contact (if not the above)
- The data protection officer, if required by the GDPR (if neither of the above).
The ICO has confirmed it will publish the following:
- the name and address of the controller;
- the data protection registration number;
- the level of fee paid;
- the date the fee was paid and when it is due to expire;
- any other trading names of the organisation; and
- the name and contact details for the DPO, if they have consented to this.
What this means for the majority of businesses that are not already registered with the ICO is that they will have to do so as soon as possible to avoid being fined. If you are in doubt about whether you should register we recommend that you check first with the ICO or just do so to be on the safe side.
Remember that the Data Protection Act 2018 imposes stricter rules on businesses, the need to publish a GDPR privacy notice on your website and enter into data processing agreements with suppliers. If you are not yet GDPR compliant it’s probably a good idea to become so as soon as you can.