As our resident GDPR expert, Account Manager Heidi shares the latest information on GDPR, data protection fees, and how they may impact you and your organisation.
GDPR and Data Protection Fees: Do I Need To Pay?
“Do you know a good GDPR consultant?” “Yes.”
“Can you pass me their email address?” “No!”
That was one of my favourite GDPR memes that did the rounds on 25th May 2018. But have you heard the latest? The Information Commissioner’s Office (ICO) who control and outline issues regarding GDPR - have introduced a data protection fee. Under this, "All data controllers, including sole traders, companies, and MPs need to pay a fee to the ICO under the data protection legislation."
So who does that specifically impact? Who needs to pay, how much is the fee, and why do some organisations now need to pay it? This post addresses some common data protection fee FAQ’s.
All data controllers, including sole traders, companies, and MPs need to pay a fee to the ICO under the data protection legislation
Data Protection Fee FAQs Addressed
Who are the ICO?
The Information Commissioner’s Office (ICO) is “the UK’s independent authority, set up to uphold information rights in the public interest, promoting openness by public bodies and data privacy for individuals”.
Why do some organisations now need to pay a data protection fee?
As stated on the ICO’s site: ‘Under the Data Protection (Charges and Information) Regulations 2018, individuals and organisations that process personal data need to pay a data protection fee to the ICO, unless they are exempt’.
This means that paying the fee is now a legal requirement. However, this doesn’t mean everyone now has to pay the new fee. Although GDPR came into effect on 25 May 2018, some organisations will be exempt, and Data Controllers who have a current registration (or notification) under the 1998 Data Protection Act will not have to pay the new fee until that registration has expired.
Do I need to pay the fee?
Looking generally, if your organisation processes personal data as a data controller, you will need to pay a fee. Company size, turnover and organisation type will all impact the requirement to pay the fee, and the amount due.
However, you do not have to pay the data protection fee if the only data processing you carry out is for one or more ‘core business purposes’.
Looking at B2B marketing agencies as an example, organisations of this type will need to register (and pay a fee) as they are using the data for marketing and advertising purposes for clients (not just their own business activity).
You can take the ICO self assessment to see if your organisation will need to pay the fee here.
You do not have to pay the data protection fee if the only data processing you carry out is for one or more ‘core business purposes’.
How much is the ICO data protection fee?
This depends on an organisation's size, purpose, and turnover and is graded by different tiers. There are three tiers of fee: £40, £60 or £2,900. You don’t need to pay VAT.
As an example, a Tier 2 organisation (small private limited company with high turnover) costs £60 for the year (£55 Direct Debit).
What do I get for paying the fee?
Paying the fee (when appropriate) is a legal requirement. In return for payment, your organisation will:
Be registered with the ICO
Receive a certificate of registration with the ICO (valid for 1 year)
Be published on the public register of data controllers
What if I don’t pay the fee?
Failing to register with the ICO and pay the fee (where necessary) is a criminal offence. You could risk being convicted and issued with a fine of up to £4,350 (150% of the top tier fee).
How do I know if I need to pay the fee?
The ICO offers a quick checklist to see if your organisation needs to pay the data protection fee. The checklist takes under 5 minutes to complete and asks about:
Remember, under the guidance, if you’re an organisation or sole trader processing personal information, you are required by law to pay a data protection fee to the ICO, unless you are legally exempt e.g. processing data for:
Advertising, marketing and PR (in connection with their own business activity)
The purpose of safeguarding national security
Some not for profit organisations
For more information or to assess the requirements for your specific business case, the ICO offers in depth insight and advice. You can find out more in their own FAQs page here.