Tuesday, 27 March 2018

Information Commissioner's Charges after GDPR

Bank of England
Author Adrian Pingstone
Licence Copyright waived by owner
Source Wikipedia

Jane Lambert

The General Data Protection Regulation ("GDPR") imposes a number of new obligations on data controllers but it does not require them to pay any money unlike the Data Protection Act 1984 and the Data Protection Act 1998.  A small but very welcome concession in exchange for responsibilities that will increase the costs of compliance one might have thought.

Fat chance! Our own Parliament has passed the Digital Economy Act 2017 section 108 (1) of which enables the Secretary of State to make regulations that "require data controllers to pay charges of an amount specified in the regulations to the Information Commissioner." The government has now published draft regulations under that provision known as The Data Protection (Charges and Information) Regulations 2018 which will come into effect on 25 May 2018. The Explanatory Note  states that they will replace The Data Protection (Notification and Notification Fees) Regulations 2000 SI 2000 No 188.

According to the Information Commissioner;s press release, this legislation has been enacted because the government has a statutory duty to ensure that the Information Commissioner's Office is adequately funded (see New model announced for funding the data protection work of the Information Commissioner’s Office 21 Feb 2018 ICO's News and Blogs). They have a point there.  I for one was heartened by photos of ICO investigators doing their job in relation to recent personal data misuse allegations (see Investigators complete seven-hour Cambridge Analytica HQ search 24 March 2018 The Guardian).

The amount of the new charges is set out in reg 3 (1):
"For the purposes of regulation 2 (2), the charge payable by a data controller in—
(a) tier 1 (micro organisations), is £40;
(b) tier 2 (small and medium organisations), is £60
(c) tier 3 (large organisations), is £2,900."
To qualify as a "micro organisation" a business must:
(i)  have a turnover of less than or equal to £632,000 for the data controller’s financial year,
(ii) no more that 10 members of staff;
(iii) be a charity, or
(iv) be a small occupational pension scheme.
As micro organizations will be offered a £5 discount if they pay by direct debit, the new rules will not increase their payments at all if they take advantage of the concession.   For businesses in tier 3 there will be a massive increase from £500 to £2,900 per year.   The new rates are intended to reflect the relative risk for each category of data controller.

Anyone wishing to discuss these rules or data protection in general should call me on 020 7404 5252 during office hours or send me a message through my contact form.

No comments:

Post a comment