The ICO is funded by these fees and over the last year its workload has increased significantly due to the introduction of GDPR and also carrying out several very large and high profile investigations. It is therefore not surprising that they are seeking to enforce payment.
The ICO’s statement says that this first round of fines have been imposed on organisations who have failed to renew their fees following expiry. It therefore seems that there may be some confusion on the part of organisations in light of the changes made this year.
The requirement to pay a fee is not set out in the GDPR or the UK Data Protection Act 2018, but is contained within a separate piece of legislation which also came into force on 25 May 2018 - the Data Protection (Charges and Information) Regulations.
Do I need to pay a fee?
If you are an organisation (however small) which processes personal data then you are legally required to pay a fee to the ICO, unless an exemption applies.
You will be exempt from paying the fee if you only process personal data for the following activities:
- staff administration
- advertising, marketing and public relations
- accounts and records
- not–for–profit purposes
- personal, family, or household affairs
- maintaining a public register
- judicial functions
- processing personal information without a computer or other similar device.
What is the fee?
The vast majority of organisations will need to pay an annual fee of either £40 or £60 to the ICO, depending on your annual turnover and number of employees. The largest organisations (those with an annual turnover of more than £36m or with more than 250 staff) will need to pay an annual fee of £2,900.
There is a £5 discount applied if you pay by direct debit, and this will also minimise the risk of forgetting to renew.
When you register to pay on the ICO website, it will take you through a short questionnaire asking for some basic details about your organisation. Based on your answers, it will automatically let you know which level of fee you need to pay, or whether you are exempt.
What if I haven't paid yet?
If you are concerned that you might be one of the organisations who has not renewed, or may not have registered at all, then you can check whether you have a current registration on the Register of Fee Payers on the ICO website.
If you have failed to register or renew then do not panic, but make sure that you do so as soon as possible. You will not be fined because you have made the payment late. The ICO is however highly likely to continue enforcing payment of unpaid fees and issuing fines to those who do not comply.
If you have any queries regarding compliance with data protection law, please contact Nicola Gulrajani on 01603 756568 or [email protected].