ICO and Fees for Data Controllers under GDPR

4th April 2018 Author: InfoSaaS

We’ve commented previously that a general perception of GDPR was that there would be a removal of the annual registration cost which is currently paid to the Information Commissioner’s Office for registration under the UK Data Protection Act of 1998. What has since been clarified is that whilst data controllers will need to maintain their own records of data processing (as per Article 30), the ICO has communicated that an annual fee will apply for all data controllers, which will help to fund their operating costs – for example enforcement actions. For most organisations which have a current registration, the current registration period will continue, and the new cost framework as outlined below will come into effect at renewal.

From 25th May 2018, organisations which process personal data will be charged a fee dependent upon which of three tiers they fall within:

  • Tier 1 is for “micro organisations” – including annual turnover of less than £632,000, 10 members of staff
  • Tier 1 also includes charities and small occupational pension schemes, regardless of size or turnover
  • Tier 2 is for “SME organisations” – with a turnover of no more than £36 million, or no more than 250 personnel
  • Tier 3 is for “large organisations” – all other organisations

The fee categories associated with each of these tiers is as follows (a £5 discount will apply for direct debit payments):

  • Tier 1 – £40
  • Tier 2 – £60
  • Tier 3 – £2,900

Note that public authorities will be charged in accordance with their number of personnel and not their annual turnover.

Some exemptions to the new fee schedule applies if only one or more of the following applies:

  • Personal and family data processing
  • Employee administration
  • Accounts and records
  • Judicial functions
  • Not-for-profit activities
  • Advertising, marketing and public relations
  • Maintaining a public register
  • Personal data processing not undertaken on an electronic device

Before GDPR arrives, please take a moment to review this detailed ICO guidance on GDPR fees, which will help you to prepare and budget accordingly.