The UK Government has announced a new charging structure for data controllers. This charging system provides funding for the Information Commissioner’s Office (ICO). The new charging structure will come into effect on 25th May 2018 alongside the GDPR.
Currently and until that date, organisations pay a notification fee, unless they are exempt. The new structure will remove this fee and replace it with a new funding structure based on the relative risk to the data that an organisation processes. There will be 3 tiers to the new charges as set out below, and factors such as organisation size, turnover and status (public authority/charity etc) will be taken into account.
Tier 1 – micro organisations. Maximum turnover of £632,000 or no more than ten members of staff. Fee: £40 (or £35 if paid by direct debit)
Tier 2 – SMEs. Maximum turnover of £36million or no more than 250 members of staff. Fee: £60
Tier 3 – large organisations. Those not meeting the criteria of Tiers 1 or 2. Fee: £2,900
The ICO has produced a Guide to the Data Protection Fee containing information about the new charging structure for data controllers which can be found here: https://ico.org.uk/for-organisations/guide-to-the-general-data-protection-regulation-gdpr/accountability-and-governance/guide-to-the-data-protection-fee/
Elizabeth Denham spoke at the Direct Marketing Association’s Data Protection 2018 event. She noted that the ICO will be presenting on how they will discharge their regulatory powers under the GDPR at the Data Protection Practitioner’s Conference on 9th April. She once again promoted the emphasised that generally they will reserve their strongest sanctions for the more serious, high-impact, deliberate, wilful or repeated breaches, in particular for breaches involving novel, technological approaches that present a high degree of intrusion into people’s privacy.
The Federation of Small Businesses on 26th February launched a campaign supported by the Information Commissioner’s Office, urging small businesses to prepare for the GDPR. The FSB state that research that it has undertaken found that over a third (33%) of small businesses have not yet started preparations for the new laws, whilst a third (35%) are only in the early stages of preparations that come in to effect on 25 May.
They point to the ICO’s section on FAQs for small organisations https://ico.org.uk/for-organisations/business/guide-to-the-general-data-protection-regulation-gdpr-faqs/ and also the dedicated advice line offering help to small organisations preparing for the new data protection law: https://ico.org.uk/global/contact-us/advice-service-for-small-organisations/
In the News:
ICO executes a search warrant at the home of a suspected imposter posing as in ICO officer in order to alter exam results.
The ICO executed a search warrant as part of an investigation into a person suspected of posing as an ICO officer to commit criminal offences. A house in London was searched in relation to an individual suspected of attempting to illegally obtain personal data from two professional standards organisations by falsely claiming to be from the ICO. The person is suspected of using fake email addresses, identification and counterfeit documents to pose as an ICO officer in an attempt to have exam results corrected or deleted under the accuracy provisions of the Data Protection Act 1998. Officers from the ICO’s Criminal Enforcement team seized mobile phones and computer equipment from the address for further analysis.
Former council worker is fined for sharing personal information about schoolchildren and parents via Snapchat.
A former local authority education worker who illegally shared personal information about schoolchildren and their parents has been prosecuted.
The defendant, who was at the time employed as an apprentice in the schools admissions department of Southwark Council, took a screenshot of a council spreadsheet concerning children and their eligibility for free school meals before sending it to the estranged parent of one of the pupils via Snapchat. The image sent included names, addresses, dates of birth and NI numbers of 37 pupils and their parents, plus one school admission record relating to a child. She has been fined £850 plus £713 in costs.