ICO planning ‘three-tier system’ of data-processing fees as post-GDPR funding model

Written by Sam Trendall on 6 October 2017 in News

Body pledges new structure will be ‘fair’, with detailed information likely before the end of 2017

The introduction of GDPR means the Information Commissioner's Office requires a new model of funding

The Information Commissioner’s Office has pledged that the fees it charges data controllers from next year will be “fair, and reflect the relative risk of the organisation’s processing of personal data”.

Details on how much those fees are likely to be should be available by the end of 2017, with plans currently being made to introduce an intermediate level to the existing two-tier system.

Under the incumbent Data Protection Act, unless they are subject to an exemption, companies processing personal data are obliged to register with the ICO by giving notice of what information they collect and how they use it. For this, they are charged a notification fee of £35 or £500, depending on the company’s size.  Organisations must renew their registration each year.

The money collected in this way funds the majority of the ICO’s work. Returns from fines issued by the organisation, meanwhile, are handed back to the government.

Once the EU General Data Protection Regulation comes into force next year, the notification fees will be done away with.

Instead, the Digital Economy Act, which passed into UK law earlier this year, provides for a new funding model for the ICO, in which companies will pay the body a “data-protection fee”. 

Related content

ICO deputy chief executive Paul Arnold said that the organisation and its sponsor department, the Department for Digital, Culture, Media and Sport, are currently working with “representatives of those likely to be affected by the change” to formulate a plan for what the new fees will be. 

“We expect to know more by the end of the year and will communicate to data controllers once we do,” he said.

Once the plan is finalised, it will require parliamentary approval, before being introduced on 1 April 2018. Arnold said that, as it stands, the ICO’s proposal is for “three-tier system” of fees that takes into account the size of the organisation and the amount of personal data it processes. 

“The new system will aim to make sure the fees are fair and reflect the relative risk of the organisation’s processing of personal data,” said Arnold.

He added: “The aim is to keep the system as simple as possible, so that organisations will easily be able to categorise themselves. We expect to know more by the end of the year and will communicate to data controllers once we do.”

The ICO deputy chief said that organisations that are shortly due to pay to renew their registration must still do so, and that the ICO expects that payments made prior to 1 April “will run for a full year” as they normally would – meaning that companies should not have to pay twice in the space of 12 months.

The current system charges a notification fee of £35 for all organisations other than public bodies with more than 249 employees, or commercial enterprises with both 250-plus staff and an annual turnover in excess of £25.9m. In those cases organisations must pay £500.

Exemptions apply to organisation who only process personal data for the purposes of judicial functions, staff administration, marketing their own business, keeping accounts and records, or personal and household affairs. Some – but not all – not-for-profit organisations are also exempt, as are data controllers who solely use personal data in support of maintaining a public register, and any organisation that processes data solely through non-digital means.

The new fee structure will retain some form of exemption system, Arnold said.

He added: “What these exemptions will be has yet to be confirmed by DCMS, but we expect them to be similar to those under the current regime.”


About the author

Sam Trendall is editor of PublicTechnology

Share this page




Please login to post a comment or register for a free account.

Related Articles

Parliament shuts down TikTok account after MPs raise concerns app is ‘Chinese government spyware’
4 August 2022

Campaign led by Wealden MP results in closure of account with video-sharing platform

New PM will need to act fast to get a handle on risk-management, report finds
28 July 2022

Think tank cites growing cyberthreats and a lack of incentives for policymakers to develop technical skills

Half of three departments’ key risks concern technology
5 September 2022

Annual reports of HM Revenue and Customs, Home Office and DWP discuss risks from cyber security, data protection and specific projects

Police investigated 4,300 cyber offences last year – but charged fewer than 100 criminals
12 August 2022

The proportion of offences resulting in a formal charge increased slightly, but remains at barely more than one in every 50