Ministers reveal proposals for updated funding model for the UK’s data protection regulator, with businesses to be asked to pay as much as £1,000 extra per year for registration services
The government has proposed an updated regime of annual fees payable by organisations processing sensitive personal data, with current prices set to be hiked by 37%.
To support the operations of the Information Commissioner’s Office, data processors are required to register with the data-protection regulator and pay an annual levy based on their size.
The smallest firms, including those with a maximum of 10 employees or revenue of no more than £632,000, are currently obligated to pay £40 each year. This rises to £60 for organisations with up to 250 staff or turnover of less than £36m.
Those in the top tier, comprised of all data-processing businesses which exceed these criteria, must pay the ICO £2,900 each year under the current set-up.
For all three levels, the government is proposing a rise of between 37% and 37.5% to these fees – to be implemented from next year onwards.
Related content
- ‘Cover-ups don’t help anyone’ – how the ICO changed tack with the public sector
- ICO issues data protection warning over domestic abuse victims after DWP and local councils reprimanded
- Information commissioner: ‘I want us to be for all of society – not just those with the resources to access data protection’
This equates to yearly payments of £55 for micro-organisations and £82 for bigger SMEs. The government claims that 99% of all fee-paying data-processors are contained within these two brackets.
The remaining 1% that constitute the top tier will see their annual charges increase to £3,979.
Before going ahead with these changes, the government is conducting a public consultation process, with stakeholders inviting to respond until 26 September.
In a ministerial foreword launching the feedback process, secretary of state for science, innovation and technology Peter Kyle said that “these fees have not risen in line with inflation since their introduction in 2018, meaning the ICO today is delivering the same level of statutory responsibilities with significantly less real-term income”.
He added: “They also do not take into account the ongoing investment the ICO has needed to make in its capabilities over the last six years – and which it will need to continue making – to ensure it can regulate effectively in the rapidly evolving era of digital technologies and AI. An uplift in fees is overdue.”
Kyle said that supporting the work of the watchdog is particularly important in the context of the new government’s five core missions, for which “there is one [factor] that will underpin them all: data”.
“How we harness data, the opportunities it creates, and the innovations it makes possible will be critical to realising our goals across the missions – whether that is driving productivity across the economy, transforming public services like the NHS or schools, or identifying how to improve opportunities and outcomes for our children,” the cabinet minister added. “Much of the data we need to use to achieve these outcomes will be personal data. That is why it is essential that we have a regulatory environment that enables data to be used safely and confidently, underpinned by the highest standards of data protection. And it is why the work of the UK’s independent data protection regulator, the ICO, is so important.”
Data released several months ago by ministers in the previous administration showed that, since the introduction of the GDPR regime, the number of data-processing organisations registered with the ICO has risen by 160% – from fewer than 500,000 to almost 1.2million.