New Structure for Data Protection Fees
Under the new General Data Protection Regulation (“GDPR”) data controllers will no longer have to register with the Information Commissioner’s Office (“ICO”), however, the requirement to pay an annual fee to the ICO is not being abolished. A new charging structure is being introduced to coincide with the implementation of the GDPR on 25 May 2018. Under the current Data Protection Act 1998, controllers who process personal data are required to register with the ICO (unless they are exempt). Many ITC members will be continue to be exempt from paying a fee since exemption applies where the processing is exclusively for not-for-profit purposes (or another purpose including staff administration, advertising, marketing, public relations or accounts/record keeping).
The new charging structure has three tiers:
Tier 1 (“micro organisations”)Turnover up to £632,000 OR Up to 10 members of staff OR Charities (regardless of size) - £40 (or £35 if paid by direct debit)
Tier 2 (“small and medium organisations”)Turnover up to £36 million OR up to 50 members of staff - £60
Tier 3 (“large organisations”) Any organisations who do not meet the tier 1 or tier 2 criteria - £2,900
Charities, whatever their size, are eligible to pay the Tier 1 fee but they must notify the ICO of their charitable status otherwise, if they are not exempt, they will automatically have to pay the Tier 3 fee of £2,900.
So, if your organisation is not exempt from registration check whether you are currently registered and that, if appropriate, you are registered as a charity. The new fee becomes payable once that registration expires (if it is after 25 May 2018). If your registration has expired (or will do so before 25 May 2018) and you do not provide the ICO with the necessary information to show that your organisation is a charity you will automatically be registered in Tier 3 and be liable to pay £2,900 rather than £40. Even if your registration expires on or after 25 May it may be best to contact the ICO to ensure you are not regarded at any point as a tier 3 organisation.
More information from the ICO, including guidance on when a data controller is “exempt” is at https://ico.org.uk/media/for-organisations/documents/2258205/dp-fee-guide-for-controllers-20180221.pdf