On 26 September 2018 the Information Commissioner’s Office (ICO) began formal enforcement action against 34 organisations that have failed to pay their data protection fees. Notices of intent have been served on both private and public sector organisations, including the NHS, government organisations, and businesses in recruitment, finance and accountancy. They have until 17 October 2018 to respond. Those who fail to pay could face a maximum fine of £4,350.
Data protection fees were introduced by the Data Protection (Charges and Information) Regulations 2018. The Regulations came into force at the same time as the General Data Protection Regulation (see our previous blog on this here). Proceeds from the data protection fee are used to fund the ICO. Fees are calculated by reference to three tiers. Micro organisations must pay £40; small and medium organisations pay £60; large organisations pay £2,900.