ICO planning ‘three-tier system’ of data-processing fees as post-GDPR funding model

Written by Sam Trendall on 6 October 2017 in News

Body pledges new structure will be ‘fair’, with detailed information likely before the end of 2017

The introduction of GDPR means the Information Commissioner's Office requires a new model of funding

The Information Commissioner’s Office has pledged that the fees it charges data controllers from next year will be “fair, and reflect the relative risk of the organisation’s processing of personal data”.

Details on how much those fees are likely to be should be available by the end of 2017, with plans currently being made to introduce an intermediate level to the existing two-tier system.

Under the incumbent Data Protection Act, unless they are subject to an exemption, companies processing personal data are obliged to register with the ICO by giving notice of what information they collect and how they use it. For this, they are charged a notification fee of £35 or £500, depending on the company’s size.  Organisations must renew their registration each year.

The money collected in this way funds the majority of the ICO’s work. Returns from fines issued by the organisation, meanwhile, are handed back to the government.

Once the EU General Data Protection Regulation comes into force next year, the notification fees will be done away with.

Instead, the Digital Economy Act, which passed into UK law earlier this year, provides for a new funding model for the ICO, in which companies will pay the body a “data-protection fee”. 

Related content

ICO deputy chief executive Paul Arnold said that the organisation and its sponsor department, the Department for Digital, Culture, Media and Sport, are currently working with “representatives of those likely to be affected by the change” to formulate a plan for what the new fees will be. 

“We expect to know more by the end of the year and will communicate to data controllers once we do,” he said.

Once the plan is finalised, it will require parliamentary approval, before being introduced on 1 April 2018. Arnold said that, as it stands, the ICO’s proposal is for “three-tier system” of fees that takes into account the size of the organisation and the amount of personal data it processes. 

“The new system will aim to make sure the fees are fair and reflect the relative risk of the organisation’s processing of personal data,” said Arnold.

He added: “The aim is to keep the system as simple as possible, so that organisations will easily be able to categorise themselves. We expect to know more by the end of the year and will communicate to data controllers once we do.”

The ICO deputy chief said that organisations that are shortly due to pay to renew their registration must still do so, and that the ICO expects that payments made prior to 1 April “will run for a full year” as they normally would – meaning that companies should not have to pay twice in the space of 12 months.

The current system charges a notification fee of £35 for all organisations other than public bodies with more than 249 employees, or commercial enterprises with both 250-plus staff and an annual turnover in excess of £25.9m. In those cases organisations must pay £500.

Exemptions apply to organisation who only process personal data for the purposes of judicial functions, staff administration, marketing their own business, keeping accounts and records, or personal and household affairs. Some – but not all – not-for-profit organisations are also exempt, as are data controllers who solely use personal data in support of maintaining a public register, and any organisation that processes data solely through non-digital means.

The new fee structure will retain some form of exemption system, Arnold said.

He added: “What these exemptions will be has yet to be confirmed by DCMS, but we expect them to be similar to those under the current regime.”


About the author

Sam Trendall is editor of PublicTechnology

Share this page




Please login to post a comment or register for a free account.

Related Articles

Government opted not to encrypt Cold War Kremlin hotline as £20,000 cost was deemed too high
31 July 2018

Newly published former top-secret documents reveal that a direct communications link between Downing Street and Mikhail Gorbachev was not encrypted – despite the wishes of the government’s ‘...

ICO flags urgent need for laws on political parties’ use of data and hits Facebook with £500k fine
11 July 2018

Commissioner’s progress report includes revelations about UKIP’s non-compliance and a six-figure penalty for a pregnancy website that supplied data for Labour Party marketing

Constituents report MP to ICO over alleged data-protection breach in Facebook post
21 June 2018

Data-protection watchdog ‘making enquiries’ after Conservative Gordon Henderson publishes names and partial addresses of local residents who sent him a letter

Related Sponsored Articles

Don’t Gamble with your password resets!
20 June 2018

The cautionary tale of the Leicestershire teenager who hacked high-ranking officials of NATO allies shows the need for improved password security