GDPR – Cost v Consequence
Many businesses, traders and organisations who process ‘personal data’ probably don’t know that they are more likely than not to be required to pay an annual fee to the Information Commissioners Office (‘ICO’), unless in limited circumstances in which they may be exempt.
When the General Data Protection Regulation (‘GDPR’) came into force back in May 2018, so did the Data Protection (Charges and Information) Regulations 2018 which makes it law for any entity processing personal data to pay a charge to the ICO every 12 months.
‘Processing’ [personal data] as a ‘data controller’ (who determines the purpose of the processing) can mean: collecting, retaining, disclosing, adapting, erasing or using in any way the personal data belonging to an individual (otherwise known as ‘data subjects’).
‘Personal data’ means information relating to individuals from which they can be identified from, or can be identifiable, directly from a single piece of information or by a combination of information. Commonly, this includes: names, addresses, email addresses, but may also include: location data, IP addresses, cookies and contact numbers. Importantly, the identifiable personal data must somehow ‘concern’ the individual, more than merely ‘identify’ them.
So if you are a business processing the personal data of: customers, clients, employees, suppliers, you will be caught under the Regulations.
The exemptions to paying a fee to the ICO include if you are processing personal data for only the following purposes: staff administration, maintaining a public register, advertising, marketing and public relations, judicial functions, not-for-profit purposes or domestic purposes (i.e. household CCTV).
However, if processing within your business extends to more than the above purposes (which is highly likely) then the fee payable is determined by a tier system.
There are three different tiers of fee between £40 and £2,900. The fees are set by Parliament to reflect what it believes is appropriate based on the risks posed by the processing of personal data by controllers.
The tier you fall into depends on:
- how many members of staff you have;
- your annual turnover;
- whether you are a public authority;
- whether you are a charity; or
- whether you are a small occupational pension scheme.
Tier 1 – micro organisations
You have a maximum turnover of £632,000 for your financial year or no more than 10 members of staff. The fee for tier 1 is £40.
Tier 2 – small and medium organisations
You have a maximum turnover of £36 million for your financial year or no more than 250 members of staff. The fee for tier 2 is £60.
Tier 3 – large organisations
If you do not meet the criteria for tier 1 or tier 2 , you have to pay the tier 3 fee of £2,900. The ICO regards all controllers to be eligible to pay a fee in tier 3 unless and until they tell us otherwise.
The 2018 Regulations make certain exceptions for some controllers.
- Public authorities should categorise themselves according to staff numbers only. They do not need to take turnover into account.
- Charities that are not otherwise subject to an exemption w ill only be liable to pay the tier 1 fee, regardless of size or turnover.
- Small occupational pension schemes that are not otherwise subject to an exemption will only be liable to pay the tier 1 fee, regardless of size or turnover.
The ICO have a helpful online self -assessment tool to help your business work out which fee applies to you.
Direct debit discount
If you choose to pay the fee by direct debit, you will receive an automatic discount of £5 at the point of payment.
Chadwick Lawrence’s Regulatory team are dedicated solicitors with expertise in data protection compliance and GDPR matters who can help your business become and thereafter maintain your personal data security systems. This is achieved by implementing a compliance-led subscription package with day-to-day telephone support for your HR team and managers. Contact us today on 01924 379 078 for more information.
- Like this ? Share with friends