The Information Commissioner’s Office (ICO) promotes and oversees compliance with data protection legislation in the UK.
On 25 May 2018, a new data protection regime will come into force, through the General Data Protection Regulation (GDPR).
Organisations that determine the purpose for which personal data is processed (controllers) must pay the ICO a data protection fee unless they are exempt.
The new fees replace the requirement to ‘notify’ (or register) (£35 or £500 depending on the size or turnover of the organisation). The fees are going up quite considerably. There are three different tiers of fee and controllers are expected to pay between £40 and £2,900. Fees are set to reflect the risks posed by the processing of personal data by controllers.
The ICO will have the power to enforce the GDPR and to serve monetary penalties on those who refuse to pay their data protection fee. The fees will fund the ICO’s work and the increase is likely to mean greater resources will be put in place to impose and enforce penalties for non-compliance with the GDPR.
The three tiers
- Small organisations with a maximum turnover of £632,000 or with fewer than 10 members of staff will pay £40.
- Organisations with a maximum turnover of £36 million or no more than 250 members of staff will pay £60.
- Large organisations (who don’t fall into the other two types, above, will pay £2,900.
