The Information Commissioners Office is the UK’s independent body uphold information rights in the public interest, covering data protection legislation including the Data Protection Act, the Freedom of Information Act, the Privacy and Electronic Communications Regulations and of course the General Data Protection Regulation (GDPR).
The ICO’s data protection work is currently funded through fees levied on organisations processing personal data, unless they are exempt. This is done under powers granted in the Data Protection Act 1998. The funding model is changing slightly and in February, the Government announced a new charging structure for data controllers to ensure the continued funding of the ICO. The new structure will come into effect on 25 May 2018, to coincide with the GDPR. Therefore, the current requirement to pay a fee will stop when the GDPR comes into effect on 25 May 2018 and the new structure will come into play.
The new funding structure is based on the relative risk to the data that an organisation processes. Payments will be divided into three tiers and the amount payable by an organisation will be based on a number of factors including size, turnover and whether they are a public authority or charity.
For very small organisations, the fee will not rise above the current £35 (by taking advantage of the £5 reduction given for paying by direct debit). Most SMEs will be required to pay £60 whilst larger organisations will be required to pay £2,900. This higher fee is justified by the fact that larger organisations are likely to hold and process the largest volumes of data, and therefore represent a greater level of risk.
For those who do not pay the fees, financial penalties will apply in the form of civil monetary penalties.
The fees are:
Tier 1 – micro organisations. Maximum turnover of £632,000 or no more than ten members of staff. Fee: £40 (or £35 if paid by direct debit)
Tier 2 – SMEs. Maximum turnover of £36 million or no more than 250 members of staff. Fee: £60
Tier 3 – large organisations. Those not meeting the criteria of Tiers 1 or 2. Fee: £2,900
Further information can be found on the ICO website here: