ICO planning ‘three-tier system’ of data-processing fees as post-GDPR funding model
Body pledges new structure will be ‘fair’, with detailed information likely before the end of 2017
The introduction of GDPR means the Information Commissioner's Office requires a new model of funding
The Information Commissioner’s Office has pledged that the fees it charges data controllers from next year will be “fair, and reflect the relative risk of the organisation’s processing of personal data”.
Details on how much those fees are likely to be should be available by the end of 2017, with plans currently being made to introduce an intermediate level to the existing two-tier system.
Under the incumbent Data Protection Act, unless they are subject to an exemption, companies processing personal data are obliged to register with the ICO by giving notice of what information they collect and how they use it. For this, they are charged a notification fee of £35 or £500, depending on the company’s size. Organisations must renew their registration each year.
The money collected in this way funds the majority of the ICO’s work. Returns from fines issued by the organisation, meanwhile, are handed back to the government.
Once the EU General Data Protection Regulation comes into force next year, the notification fees will be done away with.
Instead, the Digital Economy Act, which passed into UK law earlier this year, provides for a new funding model for the ICO, in which companies will pay the body a “data-protection fee”.
- What all public-sector IT leaders need to know to be ready for GDPR
- GDPR deadline: One third of public sector decision makers not confident they’ll be ready
- GDPR compliance: UK’s information watchdog seeks to share ideas as deadline looms
ICO deputy chief executive Paul Arnold said that the organisation and its sponsor department, the Department for Digital, Culture, Media and Sport, are currently working with “representatives of those likely to be affected by the change” to formulate a plan for what the new fees will be.
“We expect to know more by the end of the year and will communicate to data controllers once we do,” he said.
Once the plan is finalised, it will require parliamentary approval, before being introduced on 1 April 2018. Arnold said that, as it stands, the ICO’s proposal is for “three-tier system” of fees that takes into account the size of the organisation and the amount of personal data it processes.
“The new system will aim to make sure the fees are fair and reflect the relative risk of the organisation’s processing of personal data,” said Arnold.
He added: “The aim is to keep the system as simple as possible, so that organisations will easily be able to categorise themselves. We expect to know more by the end of the year and will communicate to data controllers once we do.”
The ICO deputy chief said that organisations that are shortly due to pay to renew their registration must still do so, and that the ICO expects that payments made prior to 1 April “will run for a full year” as they normally would – meaning that companies should not have to pay twice in the space of 12 months.
The current system charges a notification fee of £35 for all organisations other than public bodies with more than 249 employees, or commercial enterprises with both 250-plus staff and an annual turnover in excess of £25.9m. In those cases organisations must pay £500.
Exemptions apply to organisation who only process personal data for the purposes of judicial functions, staff administration, marketing their own business, keeping accounts and records, or personal and household affairs. Some – but not all – not-for-profit organisations are also exempt, as are data controllers who solely use personal data in support of maintaining a public register, and any organisation that processes data solely through non-digital means.
The new fee structure will retain some form of exemption system, Arnold said.
He added: “What these exemptions will be has yet to be confirmed by DCMS, but we expect them to be similar to those under the current regime.”
Ability to compel telecoms firms to gather data was introduced in Investigatory Powers Act
Cabinet Office and DCMS seek input on key questions, including the respective roles that should be played by government and industry
PACAC finds department’s role as both regulator and provider of data has ‘compromised’ its work
Statutory body asked to conduct a secondary review of internet abuse law