Following the implementation of the EU General Data Protection Regulation (GDPR) and the UK’s Data Protection Act 2018 (DPA) on 25 May 2018, organisations that are data controllers need to remember to comply with the UK’s new fees regime for funding the Information Commissioner’s Office (ICO).
The UK’s Data Protection (Charges and Information) Regulations 2018 (the Charges Regulations), which were also introduced on 25 May 2018 introduce the requirement for data controllers to pay a tiered fee to the ICO, unless certain exemptions apply.
There is no separate jurisdictional ambit to this requirement. Consequently, on the basis that the jurisdictional ambit of the DPA also applies here, data controllers outside the UK would be required to pay where either:
- they process personal data in the context of an establishment in the UK; or
- they are established outside the EU, the personal data relates to a data subject who is in the UK when the processing takes place, and the processing relates to either: (a) the offering of goods or services to data subjects in the UK; or (b) the monitoring of data subjects’ behaviour in the UK.
Where a fee is payable, it will be between £40 and £2,900 per year, depending on the size of the data controller. Further details on the fee arrangements are set out below.
How does the new fee system work?
The Charges Regulations replace the historic requirement for data controllers to notify the ICO of their processing activities in addition to payment of a fee. Instead, data controllers will no longer have to provide granular details of their processing activities, but will fall into one of three ‘Tiers’, depending upon the following factors, which will determine the appropriate level of fee payable:
- number of staff;
- annual turnover; and
- whether the organisation is a public authority, charity or small occupational pension scheme.
Controllers who fall within Tier 1 are required to pay £40 per year; those within Tier 2 are required to pay £60 per year; and those within Tier 3 are required to pay £2,900.
To assist organisations in determining whether they are required to pay a fee, the ICO has developed a self-assessment tool.
How to determine the applicable Tier
A data controller will fall within Tier 1 if:
- its turnover is less than or equal to £632,000 for the most recent financial year ending prior to the period for which the fee applies;
- the number of staff members is less than or equal to 10; or
- it is a charity or small occupational pension scheme.
A data controller will fall within Tier 2 if it is not within Tier 1 and:
- its turnover is less than or equal to £36 million for the most recent financial year ending prior to the period for which the fee applies; or
- the number of staff members is less than or equal to 250.
If neither Tier 1 nor Tier 2 is applicable, then a data controller will fall within Tier 3. (Note that the ICO will assume you fall within Tier 3 unless you provide information to the contrary.)
The number of staff members is calculated on the first day of the period for which the fee applies, and involves taking an average across the most recent financial year. To do this, first, identify the total number of persons who have been members of staff (which includes employees, workers, office holders and partners, including part-time staff, and is not restricted to solely UK-based staff) for each month of the financial year; then add these up; and finally divide by the number of months in the calendar year.
To assist organisations in determining how much they are required to pay, the ICO has developed a fee assessment tool (separate to the self-assessment tool for determining whether the organisation needs to pay a fee).
Are you exempt?
The default position remains that a data controller must pay a fee to the ICO if they are processing personal data. However, certain exemptions may apply if all processing activities are carried out solely for one or more of the following purposes:
- staff administration;
- advertising, marketing and public relations in respect of the data controller’s own business, activity, goods or services;
- keeping accounts and records, deciding whether to accept a person as a customer or supplier, and making financial forecasts, but in each case only in relation to activities carried on by the data controller;
- certain not-for-profit purposes;
- personal, family or household affairs;
- maintaining a public register;
- judicial functions.
In addition, processing which is not carried out by automated means (whether wholly or partly) is exempt.
More information on the application of exemptions is set out in Section 5 of the ICO’s guidance on data protection fees. It should be borne in mind that whether a fee exemption applies does not affect whether you need to comply with GDPR and the DPA themselves.
When do you need to pay?
The Charging Regulations recognise the need to provide for the transition from the old notification arrangement to the new fee model, and set out different deadlines for payment depending upon the following circumstances:
- if you are currently registered with the ICO (under the Data Protection Act 1998) – no further payment is required until the current registration expires, at which point the new regime applies and you will have 21 days in which to make payment and provide certain required information.
- if you were a data controller immediately before 25 May 2018 but did not have a current registration with ICO at that time – the new regime applies from the 25th May 2018, and you have 21 days from then to make payment and provide certain required information.
- if you became a controller after 25 May 2018 – you have 21 days from the day on which you became a controller in which to make payment and provide certain required information.
What if you fail to comply?
The ICO has the power to enforce the Charging Regulations and issue fines for failure to pay, failure to notify that you no longer need to pay or failure to pay the correct fee. Whereas, under the previous regime, failure to register with the ICO was a criminal offence, this will no longer be the case for non-payment under the new regime.
Where an organisation’s existing registration is soon to expire, the ICO will send a reminder to pay under the new funding model. If payment is not made, the ICO will issue a notice of intent 14 days after expiry of the existing registration, after which the controller will have 21 days to either pay or make representations as to why payment is not required.