GDPR: have you paid your data protection fee?

Under regulations introduced along with the General Data Protection Regulation (GDPR), those organisations which are classed as data controllers are required to pay a data protection fee to the Information Commissioner’s Office (ICO). This fee varies based on the size and turnover of the organisation and there are also exemptions for those that fall into particular categories.

It has been eight months since GDPR came into force and the ICO has now started to take action against those organisations that have failed to pay the required fee.

Take care (homes) with GDPR

Care homes do not fall into any of the exemptions from the data protection fee as they handle sensitive personal information relating to the health and wellbeing of residents. This is classed as special category data under GDPR and is subject to stricter rules relating to processing and distribution. Care homes are under-represented on the data controller register, possibly because many believe that they are exempt from paying the fee.

The exemptions relate to when an organisation is processing personal data only for one (or more) of the following purposes: staff administration; advertising and PR; not-for-profit purposes; judicial functions; maintaining a public register; or processing personal information without an automated system.

At the end of last year, the ICO commenced formal enforcement action against a number of care homes that had failed to pay the data protection fee. Notices of intent to fine businesses were sent and these fines could be as much as £600 if they do not pay up. If they do, the enforcement action will stop. Organisations are given a 21 day window in which to respond.

What is the data protection fee?

The Government has a duty to ensure the ICO is funded adequately and so it introduced the data protection fee to coincide with GDPR.

The fee replaced the requirement to notify, or register with, the ICO. The funding model is made up of three tiers:

• tier 1: micro organisations – these are organisations with a turnover of £632,000 or no more than ten employees. The fee is £40 and the fine for not paying that amount could go up to as much as £400;
• tier 2: SMEs – these have a maximum turnover of £36 million or no more than 250 employees. The fee for those in this category is £60, with a potential fine of up to £600 should they fail to pay up; and
• tier 3: large organisations – these organisations do not satisfy the criteria in either tier 1 or tier 2. The fee is £2,900 with a potential fine of up to £4,000.

The fee must be paid annually. Charities; small occupational pension schemes; and organisations that have existed for less than one month will pay the smaller £40 fee, regardless of their size and turnover.

So those organisations which choose to ignore the notices or delay any payment to the ICO could face fines ranging from £400 to £4,000. Aggravating factors could increase the fine up to a maximum of £4,350.

If an organisation has a current registration (or notification) under the old Data Protection Act 1998, it will not be required to pay the new fee until that current registration has expired.

ICO enforcement action

Care homes are not the only focus for the ICO. It has also issued fines to organisations in a range of other sectors including business services, construction and finance. In fact, more than 900 notices of intent to fine have been issued by the ICO since September last year.

Since GDPR came into force in May last year, more than 8,000 data breaches have been notified to the ICO. The ICO said GDPR has raised the public’s awareness of the potential of their personal data being misused and concerns are growing about the threat of cyber-crime and the impact this can have on data subjects.

We have seen a large number of data breaches over the last year, with personal, and often sensitive, information being obtained by cyber criminals. Facebook, British Airways and the hotel group Marriott have all been affected.

GDPR was designed to improve how data was controlled by organisations but it appears there is still some way to go before our personal information is completely secure.

However, the ICO now clearly believes that organisations have had enough time to get their policies and procedures in order and are confident that these fines and enforcement notices are warranted. We are likely to see more action being taken this year as the ICO broadens its enforcement policy.