If you’re not registered with the ICO as a data controller, you might be breaking the law.
Udate – 25/06/2018: The Department for Digital, Culture, Media and Sport has issued a review of the current exemptions to the data protection fee. In consultation with relevant stakeholders, the government is looking to possibly expand or adapt the exemptions. Watch this space for further news.
With GDPR now in effect, most businesses are aware of the responsibilities they hold in relation to personal data. But one element of the rules that hasn’t perhaps been widely publicised is that of the data protection fee, which requires many organisations to register with the ICO – or potentially face large fines. Even more worrying is that this isn’t anything new – the Data Protection Act of 1998 already had similar rules.
Data Protection Act Registration
Before the GDPR came into effect, the ICO’s website said, “The Data Protection Act 1998 requires every data controller (e.g. organisation, sole trader) who is processing personal information to register with the ICO, unless they are exempt. Over half a million organisations are currently registered.”
At the time, registration lasted for a year and usually cost £35. However, the cost could be higher for larger businesses and public authorities. What’s particularly interesting, though, is the low number of registered organisations. As you may know, a data controller is the person or organisation that decides the reasons for which personal data is collected, used and held within a business or other organisation. This includes names, addresses, licence plate numbers and even CCTV footage – essentially anything that could be used to identify an individual.
Surely there are more than half a million businesses in the UK that deal with such information, so why were there so few registered with the ICO? Were they all exempt?
To answer these questions, we first need to look at what the exemptions were. In the ICO’s words, you didn’t have to register under the Data Protection Act if the personal data you held was processed only for the following reasons:
- staff administration (including payroll);
- advertising, marketing and public relations (in connection with their own business activity); and
- accounts and records;
- some not-for-profit organisations;
- organisations that process personal data only for maintaining a public register;
- organisations that do not process personal information on computer.
These exemptions no doubt account for why many companies weren’t registered with the ICO, but it seems likely that others weren’t registered simply because they didn’t know they were supposed to be or just didn’t care. In either case, this is worrying, because at the time, the ICO had the power to fine businesses up to £5,000 for not registering when they were supposed to, including for having unregistered CCTV.
GDPR Data Protection Fee
Now, of course, the Data Protection Act no longer applies, because it’s been replaced by the GDPR, but registration with the ICO is still very much a requirement for businesses, unless they’re exempt. There are, however, some key differences in its structure. It’s also worth noting that anyone who’s already registered with the ICO under the Data Protection Act won’t have to do it under GDPR until the previous registration has expired.
Whether you’re already registered or not (and assuming you’re not exempt), you will at some point have to register under the new rules, and the way it works is a bit different to its predecessor. How much you have to pay to register depends where your business sits on a three-tier scale:
Tier 1 – micro organisations. You have a maximum turnover of £632,000 for your financial year or no more than 10 members of staff. The fee for tier 1 is £40.
Tier 2 – small and medium organisations. You have a maximum turnover of £36 million for your financial year or no more than 250 members of staff. The fee for tier 2 is £60.
Tier 3 – large organisations. If you do not meet the criteria for tier 1 or tier 2, you have to pay the tier 3 fee of £2,900. (ICO website)
Importantly, if you don’t inform the ICO of your particular circumstances, then it will be assumed that you belong in tier 3, and you’ll have to pay the highest data protection fee.
As with the old rules, this fee has to be paid yearly, and again there are exceptions and exemptions.
The exceptions are:
- Public authorities should categorise themselves according to staff numbers only. They do not need to take turnover into account.
- Charities that are not otherwise subject to an exemption will only be liable to pay the tier 1 fee, regardless of size or turnover.
- Small occupational pension schemes that are not otherwise subject to an exemption will only be liable to pay the tier 1 fee, regardless of size or turnover
And the exemptions, according to the ICO, are:
- Staff administration
- Advertising, marketing and public relations
- Accounts and records
- Not-for-profit purposes
- Personal, family or household affairs
- Maintaining a public register
- Judicial functions
- Processing personal information without an automated system such as a computer
As you’d expect, there are once again fines for not paying the data protection fee or for paying the wrong one: 150% of the top tier fee, which translates as £4,350. That, of course, is less than the old fine, but it’s still a substantial amount of money.
Why You Should Register
The most obvious reason to pay the data protection fee is because it’s a legal requirement (assuming you’re not exempt), but with only half a million organisations registered with the ICO under the Data Protection Act, it’s likely that many haven’t been fulfilling this obligation. If that’s the case, then it would seem the ICO has thus far used its fining powers much less than it could have.
Why, under GDPR, might that change? Is the ICO any more likely to levy these fines under the new rules than it was under the old ones?
It’s impossible to say for certain, but the very fact that GDPR exists at all suggests that data protection is being taken more seriously than it has in the past. Also, the ICO will be keen to prove it’s doing its job. As the Information Commissioner has said, fines are the last resort. But the data protection fee is going to be vital to the ICO if it’s to function properly. If businesses ignore the requirement en masse, the ICO could flex its muscles by making an example of some of them.
The qustion is: could your business take a hit like that, if you were singled out for punishment?
All organisations that process the personal data of EU residents need to be GDPR compliant. That includes protecting personal data with sufficient cyber security. TMB has many years of experience in this field, so call us to discuss your needs: 0333 900 9050. Alternatively, get in touch via our contact page, or email us at email@example.com.