In recent weeks, the Information Commissioner’s Office (ICO) has published a piece that provides some clarity on how the data processing registration and fee provisions under the current data protection regime will change with the advent of the General Data Protection Regulation 2016 (GDPR) next year.
As it currently stands, organisations that process personal information are required to notify the ICO of their activities and complete an entry on its register of data controllers, unless an exemption applies. This involves explaining what personal data they collect and how they use it. This requirement forms part of the Data Protection Act 1998 (DPA) which requires a notification fee to be paid to the ICO for the purpose of funding its data protection work.
What Are the Changes?
From 25th May 2018, the ICO has confirmed that, when the GDPR takes effect, the notification requirement will be discontinued but the legal requirement for data controllers to pay the ICO a data protection fee will remain to be used as a means for the ICO to fund its data protection work.
The ICO has also announced that whilst the fee requirement will remain the same, the fee structure will be modified in order to reflect the new funding system and will come in the shape of a three-tier system.
Therefore, while the amount of the data protection fee will continue to be based on organisations’ size and turnover, it will also take into account the amount of personal data that organisations are processing making it easier for them to categorise the fee that they need to pay.
The Digital Economy Act 2017
The upcoming system comes into effect under the Digital Economy Act 2017. It’s aimed at safeguarding a fair system of fees which takes into account the size and turnover of an organisation as well as the risk of processing personal data.
The Department for Digital, Culture, Media and Sport (DCMS) is developing how much the data protection fee will be along with the ICO and representatives of those stakeholders who are likely to be affected by the new funding system. As it currently stands, the notification requires a fee of either £35 or £500 which comes down to the size of the organisation size and turnover.
What About Exemptions?
Currently, under the existing ICO notification and fee regime, there are a couple of exemption reasons. An example would be organisations that carry out basic forms of data processing (such as processing of personal data by organisations only for maintaining a public register).
While it is expected that there will still be exemptions under the new fee regime, the DCMS is still yet to confirm what these will be exactly. However, the ICO has stated that these are likely to be similar to the exemptions currently in place.
The Next Steps
The new regime is set to go live on 1st April 2018. However, the ICO has stated that organisations are still required to renew their notification under the DPA up until the 2018 changes come into effect. If organisations don’t, criminal action may be taken.
The ICO plans to contact organisations with information packs on the expected changes in the coming months.