New ICO charging structure revealed for data controllers

On 21 February 2018 the ICO published guidance on the new charging structure for data controllers which will replace the existing notification regime, change how data controllers pay fees to the Information Commissioner’s Office (“ICO”) and how the ICO is funded.

The Data Protection (Charges and Information) Regulations 2018 (the “2018 Regulations”) introduce the new structure alongside the EU General Data Protection Regulation (“GDPR”) which will come into force on 25 May 2018.

This new structure (which is still in draft form) will likely have the biggest impact on those public authorities who have more than 250 members of staff with a marked increase of £2,400 (480%) in the annual fee payable to the ICO.

Under the current Data Protection Act (“DPA”) organisations that process personal information have an obligation to:

• notify the ICO regarding what personal data they are collecting and what they are doing with it; and
• pay a notification fee to the ICO of either £35 or £500, based on the organisation’s size, turnover and the amount of personal data it is processing.

Following the commencement of GDPR, organisations processing personal data will have an obligation to keep detailed records of their processing however the obligation to notify the ICO will cease to exist. Even so, due to provisions in the 2018 Regulations the requirement to pay a fee will survive.

The new charging structure is important for funding data protection work undertaken by the ICO, (which the Government has a statutory duty to ensure is adequately funded). The relevant fee will be determined in a similar manner as under the previous law by differentiating between big and small organisations.

The draft charging structure is set out in three tiers which are based on size of organisation, turnover and whether an organisation is a public authority or charity. There are also a number of exemptions, and, if you pay by direct debit, you will receive a £5 discount. It is noteworthy that the ICO will categorise organisations as Tier 3 unless and until they are notified otherwise.

The fees put forward to Parliament for approval are as follows:

Public authorities and charities are eligible for certain exemptions. For example, public authorities need only categorise themselves according to staff numbers and not turnover and all charities fall into Tier 1 (unless they are eligible for any other exemption). The ICO will calculate members of staff as the average number working for an organisation during its financial year. The term ‘members of staff’ is broadly defined to include all employees, workers, office holders and partners and each part-time staff member is counted as one member of staff.

The fee does not apply if you are a controller and are only processing personal data for one or more of the following purposes:

• Staff administration;
• Advertising, marketing and public relations;
• Accounts and records;
• Not-for-profit purposes;
• Personal, family or household affairs;
• Maintaining a public register;
• Judicial functions; and/or
• Processing personal information without an automated system such as a computer.

The ICO have stated it is their intention to provide an online-self assessment tool to help organisations work out which tier applies and identify if any exemptions are applicable. Once Parliamentary approval has been granted, the ICO will update their guidance to reflect any changes.

So, what does this mean for data controllers at the moment?

• If you are due to renew your notification shortly, you should continue to renew. It is still a criminal offence to not notify if an organisation needs to under section 17 of the DPA.
• If you currently have a registration (or notification) under the DPA, you will not need to pay under the new charging structure until your current registration expires.
• If you do not know which tier applies to you, take a look at the ICO guidance which is helpful in determining the relevant fee and whether you are eligible for an exemption.