While the advent of the General Data Protection Regulation (“GDPR”) means that controllers will no longer be required to register the purposes for which they use personal data with the Information Commissioner’s Office (“ICO”), the requirement to pay an annual fee to the ICO is not being wholly abolished. This has been confirmed by the introduction of the draft Data Protection (Charges and Information) Regulation (“DPCIR”) which was recently published by the government which provides a new charging structure for controllers. It is intended to coincide with the implementation of GDPR on 25 May 2018.

The current law (up to 25 May 2018)

Under the current Data Protection Act 1998 regime, controllers who process personal data are required to register with the ICO (unless they are exempt). Charities have benefitted from paying the standard registration fee (£35), but other organisations (i.e. those that have both a turnover of £25.9 million and more than 249 members of staff, or public authorities with more than 249 members of staff) pay £500. Registration is compulsory until 25 May 2018 and we would strongly recommend registering if you fall within the scope of the above and have not yet registered. Failure to register when required to do so is a criminal offence and the registration process does not take long to complete. If you are already registered, we would recommend double checking the expiry date of your registration on the ICO’s public register and renewing it if the expiry date is prior to 25 May 2018. You can access the relevant area on the ICO’s website here: https://ico.org.uk/for-organisations/register/.

The new proposed charging structure

The new structure proposes a three tier system:

Tier

Criteria

Proposed annual fee

Tier 1 (“micro organisations”)

Turnover up to £632,000 OR

Up to 10 members of staff OR

Charities (regardless of size)

£40 (or £35 if paid by direct debit)

Tier 2 (“small and medium organisations”)

Turnover up to £36 million OR

Up to 250 members of staff

£60

Tier 3 (“large organisations”)

Any organisations who do not meet the tier 1 or tier 2 criteria

£2,900

 

Significantly, the DPCIR exempts charities (regardless of their size or turnover) from paying the tier 2 or tier 3 fee (and charities therefore fall within tier 1 and so pay £40). Public authorities and small occupational pension schemes also fall within this exemption. However, the ICO will regard all controllers as eligible to pay the tier 3 fee, unless the charity otherwise notifies the ICO.

Please note that some charities will be wholly exempt from paying a fee at all, where the processing is exclusively for not-for-profit purposes (or another purpose including staff administration, advertising, marketing, public relations or accounts/record keeping).

A charity will be regarded as being eligible to pay the £2,900 fee if it fails to notify the ICO that it falls within the tier 1 fee. So there is an onus on the charity to inform the ICO about its charitable status.

What do you need to do?

This depends on whether you are currently registered (and whether that registration has expired) or not:

  • If the registration is still valid, the new fee becomes payable once that registration expires (if it is after 25 May 2018). The ICO will decide which tier you fall under depending on the information they have from your existing registration (and if the ICO is likely to know that you are a charity falling within the tier 1 fee).
  • If your registration has expired (or will do so before 25 May 2018), the ICO will regard you as a tier 3 organisation and you will need to provide the ICO with the necessary information to show that your organisation is a charity.
  • If you have not registered before (and have not therefore paid a fee in the past), you will need to provide the ICO with information about your charity (we recommend this is done by registering).

We would also suggest that if your registration expires on or after 25 May, contact the ICO in any case to ensure you are not regarded at any point as a tier 3 organisation.

More information

The ICO has published a guide to the new charging structure here and an accompanying article here.

 


Victoria Hordern photo

Victoria Hordern

Head of Data Privacy

T
+44(0)20 7551 7951

E
v.hordern@bwbllp.com
View full information about Victoria Hordern
Michael Charalambous photo

Michael Charalambous

Senior Paralegal

T
+44(0)20 7551 7802

E
m.charalambous@bwbllp.com
View full information about Michael Charalambous

Posted on 04/04/2018 in Legal Updates

Back to Knowledge