While the ICO and FSB have worked together on a compliance-led approach, small firms must still obey the rules. Data controllers are required to pay a charge to the Information Commissioner’s Office unless they are exempt.
The cost of your data protection fee depends on your size and turnover. There are three tiers of fee ranging from £40 and £2,900, but for most organisations it will be £40 or £60.
Some organisations for example charities and small occupational pension schemes only pay £40 regardless of their size and turnover.
You can use the free fee-assessment tool on the Information Commissioner’s Office website to find out if and how much you will need to pay.
The Information Commissioner has recently being issuing fines to data controllers for their failure to pay the relevant fees, where relevant.
In a recent case, the IC issued a £4,000 fixed penalty to Farrow and Ball, a well-known paint supplier, for a failure to pay the relevant tier 3 data protection fee of £2,900.
Farrow and Ball appealed the decision on the basis that its failure to pay was an innocent mistake. It argued that the IC's reminder was sent while the relevant Farrow and Ball individual was on holiday. As a result the reminder was not identified as important internally. The fee was promptly paid once the default was discovered.
The matter progressed to tribunal and it found that Farrow and Ball had not provided a reasonable excuse for non-compliance. The tribunal concluded that a reasonable controller would have systems in place to comply with the 2018 Regulations and there was no particular difficulty which explained their departure from the expected standards of a reasonable controller. The tribunal confirmed there was no evidence of financial hardship or other reason for the IC's discretion to be exercised differently.
The appeal was dismissed.
You can read the full case summary here.
As always, if you have a legal query please get in touch with the FSB Legal Helpline on 0345 0727727 and we'll be happy to assist you.