Businesses currently pay an annual fee to notify the Information Commissioners Office (ICO) that they process data and in certain circumstances, to obtain approval for some activities. The annual fee is determined by the size of your business and most SME’s pay an annual fee of £35.
With the implementation of the new data protection rules on 25 May 2018, the General Data Protection Regulation (GDPR), this requirement will change slightly. Businesses (who are most likely to be data controllers) will remain liable to pay the ICO a data protection fee. The ICO has indicated that the fees will fund their data protection work.
It’s unclear at this stage what the fees will be. The ICO and the Department for Digital, Culture, Media and Sport are in consultation on this issue. Whatever they suggest, the final fees will be approved by Parliament.
The ICO are determined to ensure fair fees reflect the risk level associated with an organisation’s processing of personal data. So it seems their approach will be to base the fees on an organisations size and the amount of processing that they do. We currently have no information on exemptions that may apply under the new system.
The ICO have stated that the new system will go live from 1 April 2018. Until then you should continue to notify and pay the ICO fees or renewal fees as usual. This requirement should not be taken lightly, as it’s a criminal offence not to notify if you need to.
More information on this is expected towards the end of 2017. In the meantime we recommend that you carry out a data protection impact assessment to determine the level of risk associated with the data you hold and if, and how, the identified risks can be mitigated.