The draft Data Protection (Charges and Information) Regulations 2018 have now been laid before Parliament by the UK Government; it is intended that they will enter into force on 25th May 2018. The Regulations will introduce the new charging regime that is to replace “notification fees”, once the requirement upon data controllers to notify the Information Commissioner of their processing of personal data.
As expected, the fees will move from the current two-tier structure to a three-tier structure; however, the fee amounts are different to what was proposed in the consultation last year. The tiers are as follows:
Tier 1
Data controllers who fall into tier 1 will pay an annual fee of £40 to the Information Commissioner. You fall into this fist tier if you have a turnover of less than or equal to £632,000 for your financial year, or you have no more than 10 members of staff. Charities also fall into this category as do small occupational pension providers.
Tier 2
Data controllers who fall into tier 2 will pay an annual fee of £60 to the Information Commissioner. You will fall into this tier if you do not fall into tier 1 and have a turnover less than or equal to £36m for your financial year, or have no more than 250 members of staff.
Tier 3
Data controllers who fall into tier 3 will pay an annual fee of £2,900 to the Information Commissioner. All non-exempt data controllers who do not fall into the first two tiers will fall into tier three. The Commissioner has indicated that they will assume that every data controller falls into tier 3 unless they prove the contrary.
These fees do represent a shift from the levels that were consulted on last year. In particular the top-tier fee that was suggested in October was £1,000 but has now become £2,900. Data controllers can save themselves a bit of money (a grand total of £5) by paying their annual fees by Direct Debit.
The fees structure that was consulted on had suggested that there would be a premium to be paid by any data controller that also carried out direct marketing activities by electronic means; however, that hasn’t been given effect to in the draft Regulations that have been laid before Parliament,
In terms of working out how many members of staff you have for the purposes of these regulations you can’t just count the number of employees you have. A member of staff, for the purposes of the Regulations, is: (i) an employee; (ii) a worker, within the meaning of s.296 of the Trade Union and Labour Relations (Consolidation) Act 1992; (iii) an office holder; or (iv) a partner. Part-time members of staff are counted as one member for these purposes. To calculate the members of staff you need to work out how many members of staff you employed each month in your last financial year, add together the monthly totals and then divide it by the number of months in your last financial year. Even members of staff who work outside of the United Kingdom (and, indeed, the European Union) need to be counted.
You do not need to work out how many members of staff you have if you are a charity or if you are a small occupational pension scheme. Public authorities are required to ignore those reference to turnover and are required only to determine how many members of staff that they have.
If you are processing personal data solely for one of the following eight purposes, you do not need to pay a fee to the Information Commissioner:
- Staff Administration;
- Advertising, marketing or public relations,
- Accounts and records,
- Not-for-profit purposes
- Personal, family or household affairs
- Maintaining a public register
- Judicial functions
- Processing personal information without an automated system such as a computer
To be able to rely upon this exemption your processing must be solely for one or more of the above noted purposes. If your processing is for one of those activities in addition to another activity then you will need to pay the fee at the appropriate tier.
In order to ensure that data controllers are paying the correct level of fee, the draft Regulations have provision within them for data controllers to supply various pieces of information to the Information Commissioner; this information fits around establishing which, if any, of the three tiers the controller falls into.
There are a couple of final things to note. The first is that if you pay a notification fee prior to 25th May 2018 then you will not be required to pay the new fees until that notification has expired. Therefore, if you are due to notify the ICO under the Data Protection Act 1998 on or before 24th May 2018 you will not be required to pay the new fees until next year. The final thing to note is that these Regulations are only in draft form; they are still subject to parliamentary approval and could be amended. However, this blog post reflects the position as contained within the draft Regulations. Large organisations should, however, be planning to pay significantly more to the Information Commissioner than the £500 they have been paying until now.
If you would like advice or assistance with a privacy or data protection matter, including the GDPR, or any other information law matter then contact Alistair Sloan on 0345 450 0123 or send him an E-mail.