New data protection fees
Every organisation that processes personal information is required to pay a fee to the ICO (subject to limited exemptions) and provide certain information, some of which will be published on a publicly accessible data protection register. This includes:
- the name and address of the controller
- the data protection registration number;
- the level of fee paid (i.e. Tier 1,2 or 3 – see table below for further details);
- the date the fee was paid and when it is due to expire;
- any other trading names of the organisation;
- the contact details for the Data Protection Officer, if there is one; and
- the name of the Data Protection Officer, if there is one and provided that they have consented to giving their name.
Regulations which came into force alongside the new UK Data Protection Act 2018 (DPA 2018) on 25 May 2018 introduced the new data protection fee regime to replace the former data protection registration system under the Data Protection Act 1998 (DPA 1998).
Under the new system, the annual data protection fee level (and applicable fines for not paying the fee) will depend on the size and turnover of the organisation.
|
Tier |
Size/Turnover |
Fee |
Fine |
|
1 (Micro) |
Maximum turnover of £632,000 or no more than ten members of staff |
£40 |
£400 |
|
2 (SME) |
Maximum turnover of £36 million or no more than 250 members of staff |
£60 |
£600 |
|
3 (Large) |
Those not meeting the criteria of Tiers 1 or 2. |
£2,900 |
£4,000 |
Aggravating factors can also lead to an increase in a fine for non-payment of the data protection fee up to a maximum of £4,350.
There is a £5 discount for payments by direct debit, so for very small organisations the fee won’t be any higher than the £35 they paid for data protection registration under the old DPA 1998 scheme. By contrast, the Tier 3 fee is substantially more than the highest fee under the DPA 1998 registration scheme (£500).
Organisations that have a current data protection registration under the DPA 1998 regime do not have to pay the new fee until that registration expires.
However, the ICO has recently issued a press release which stated that manufacturers were among the first organisations to be fined for not paying the new data protection fee. According to the ICO, fines were imposed where they were left with “no option” following numerous attempts to collect the fees via a “robust collection process”.
What action should you take?
We recommend that manufacturers who have not already done so check that their current registration is up-to-date and ensure that they pay the fee required under the new rules as soon as that registration expires. You can check your renewal date by searching the ICO register.
How EEF can help
Our hugely popular GDPR seminar series continues throughout January 2019. The latest instalment, Practical GDPR for HR professionals: what will change in your day job?, explains how the GDPR and DPA 2018 will affect everyday HR activities and provides detailed guidance on responding to Subject Access Requests and reporting personal data protection breaches.
HR Handbook review
Start 2019 with up to the minute policies and procedures - ask your EEF advisor about our HR handbook review and re-new service. We’ll future proof your employment handbook to take into account the latest developments (including GDPR).
For more information, speak to your EEF adviser, email [email protected] or call 0808 168 5874.