sdecoret - stock.adobe.com
ICO threatens fines for outstanding fees
The UK’s privacy watchdog has issued warning letters to organisations, including some NHS trusts and government organisations, for failing to pay a new data protection fee
The Information Commissioner’s Office (ICO) has begun formal enforcement action against 34 organisations that have failed to pay a data protection fee introduced in May.
All organisations that process personal data must pay a fee to the ICO unless they are exempt under new UK data protection regulations, replacing the need to notify or register with the ICO.
The fees, set by government, are aimed at funding the ICO’s data protection work and new and expanded services such as its advice line, online resources, and guidance to help organisations comply with new data protection laws.
The new funding model was introduced after years of campaigning by the ICO for better funding for its investigations and support activities.
There are three tiers of fees that apply depending on the size and turnover of an organisation and whether it is a public authority or a charity.
Micro organisations with a maximum turnover of £632,000 or no more than ten members of staff have to pay £40, while SMEs with a maximum turnover of £36m or no more than 250 members of staff are required to pay £60 and large organisations are liable for fees of £2,900. In all cases, a £5 discount applies for payments by direct debit.
The fees came into force on 25 May, to coincide with the UK’s new Data Protection Act (2018) and the EU’s General Data Protection Regulation (GDPR), which are expected to increase the ICO’s workload.
Read more about UK data protection legislation
- Legislation makes the UK one of the first countries to implement the GDPR in local law, but some have criticised it as a “lost opportunity”.
- Security industry welcomes planned UK Data Protection Bill.
- UK Data Protection Bill vs EU General Data Protection Regulation.
- The Data Protection Bill is about securing UK data leadership.
In anticipation of the increased workload, information commissioner Elizabeth Denham has overseen a growth in the number of people working for the ICO, which now employs around 670 staff.
In March 2017, the information commissioner told the House of Lords EU Home Affairs sub-committee the ICO planned to recruit 200 additional staff to take the total number to around 700 by 2020.
The data protection regulator has sent notices of its intent to fine the organisations up to £4,350 if they do not pay the fees they owe.
Paul Arnold, deputy chief executive officer at the ICO, said the notices serve as a final demand to organisations.
“All organisations that are required to pay the data protection fee must prioritise payment or risk getting a formal letter from us outlining enforcement action,” he said.
Notices of intent
The notices of intent were sent earlier this month to a range of organisations across both the public and private sector, including the NHS, government organisations, and recruitment, finance and accounting firms.
More notices are in the drafting stage and will be issued soon, according to the ICO. Failure to pay the data protection fee is now a civil offence under the GDPR. Previously, this was a criminal offence under the Data Protection Act 1998.
Organisations have 21 days to respond to the notices. If they pay, action will stop. Those that ignore the notices or refuse to pay may face a fine.
The fines range from £400 to £4,000 depending on the size and turnover of the organisation. Aggravating factors may lead to an increase in the fine up to a maximum of £4,350, the ICO said.
The ICO has produced a fee calculator tool and guidance on the data protection fee. Organisations that have a current registration (or notification) under the 1998 Data Protection Act – prior to 25 May 2018 – do not have to pay the new fee until that registration has expired.