On 26 September 2018 the Information Commissioner’s Office (ICO) began formal enforcement action against 34 organisations that have failed to pay their data protection fees. Notices of intent have been served on both private and public sector organisations, including the NHS, government organisations, and businesses in recruitment, finance and accountancy. They have until 17 October 2018 to respond. Those who fail to pay could face a maximum fine of £4,350.
Data protection fees were introduced by the Data Protection (Charges and Information) Regulations 2018. The Regulations came into force at the same time as the General Data Protection Regulation (see our previous blog on this here). Proceeds from the data protection fee are used to fund the ICO. Fees are calculated by reference to three tiers. Micro organisations must pay £40; small and medium organisations pay £60; large organisations pay £2,900.
The ICO has stated that more notices of intent are in the drafting stage and are likely to be issued in the coming weeks. The ICO will also write to controllers that were previously registered with it under the Data Protection Act 1998 and will inform them of the data protection tier that will apply to them. The ICO will be in contact before current registrations expire. Companies will not have to pay the data protection fee until their pre-existing registrations expire.
All businesses in the UK that process personal data should take note. Just because a company was exempt from the old ICO registration system does not exempt it from paying the new data protection fee. Therefore, companies should check the time remaining on existing registrations and ensure that they have paid the applicable fee.