ICO: Data Protection registration and fees

The General Data Protection Regulation (“GDPR”) removes the requirement for data controllers to register with the Information Commissioner’s Office (“ICO”). However, new UK regulations, with effect from 25 May 2018, require all data controllers to provide certain information and pay annual ICO fees to ensure its continued funding.

‘Data controller’ is defined in section 108(8) of the Digital Economy Act 2017 as a person who, alone or jointly with others, determines the purposes and means of the processing of personal data, and ‘personal data’ means any information relating to an identified or identifiable individual.

Under GDPR, data controllers must maintain their own internal data processing record.

However, in order to provide continued funding for the ICO’s activities, the Data Protection (Charges and Information) Regulations 2018 (Statutory Instrument 2018 No. 480) came into effect at the same time as the GDPR.

These Regulations set out the circumstances in which data controllers are required to provide information and pay a charge to the ICO, replacing the previous regime under the Data Protection (Notification and Notification Fees) Regulations 2000 (Statutory Instrument 2000 No. 188).

Data controllers must pay an annual ICO fee unless all the processing of personal data is exempt processing (see below).

Controllers who have a current registration (or notification) under the Data Protection Act 1998 do not have to pay the new fee until that registration has expired. A direct debit form will be sent with the renewal reminder. The fee is reduced by £5 for a data controller that makes payment by direct debit.

When paying the data protection fee, data controllers will need to tell the ICO:

• the name and address of the controller;
• the number of members of staff;
• the turnover for the latest financial year; and
• any other trading names.

The ICO will also ask for the names and contact details of the following people:

• the person completing the registration process;
• a relevant person in the organisation to contact on ICO matters, if this is different from the above; and
• the data protection officer (if you must have one under the GDPR), if this is different from the above.

The ICO Fees

Tier 1 – £40 – micro organisations

Maximum turnover of £632,000 for its financial year or no more than 10 members of staff.

• Charities that are not otherwise subject to an exemption will only be liable to pay the Tier 1 ICO fee, regardless of size or turnover.
• Small occupational pension schemes that are not otherwise subject to an exemption will only be liable to pay the Tier 1 fee, regardless of size or turnover.

Tier 2 – £60 – small and medium organisations

Maximum turnover of £36 million for its financial year or no more than 250 members of staff.

Tier 3 – £2,900 – large organisations

If neither Tier 1 nor Tier 2, organisations will have to pay the Tier 3 ICO fee.

As a default, the ICO regard all controllers as eligible to pay the Tier 3 fee unless and until they tell them otherwise.

Public authorities should categorise themselves according to staff numbers only.

The Exemption

Any organisation which is processing personal data only for one or more of the following activities will be fully exempt from the requirement to pay a fee:

• staff administration;
• advertising, marketing and public relations;
• accounts and records;
• not-for-profit organisation purposes;
• personal, family or household affairs;
• maintaining a public register;
• judicial functions; or
• processing personal information without an automated system such as a computer.

These exemptions are only in relation to payment of ICO fees – the entities involved still need to ensure they are complying with the other obligations set out in the Data Protection legislation in the UK, including GDPR.

Endnote

These Regulations bind the Crown but don’t apply to Her Majesty in Her private capacity or in relation to the Duchy of Lancaster, or to the Duke of Cornwall.