The draft Data Protection (Charges and Information) Regulations 2018 (the Regulations) have now been published and will replace the current Data Protection (Notification and Notification Fees) Regulations 2000. The final version of the Regulations will come into force on 25 May 2018 in line with the General Data Protection Regulation (GDPR). The draft Regulations, as always, are subject to Parliamentary approval. However, given the limited time before they are due to take effect, they are unlikely to change.
The draft Regulations set out the following:
- When data controllers will be required to provide information to the Information Commissioner's Office (ICO) and pay a charge associated with the processing of personal data.
- An annual charge to the ICO is required unless all processing undertaken by the controller is exempt. The ICO has also published a guide to the draft Regulations on how controllers can determine whether they are exempt from this requirement. The guide also outlines the ICO's intention to publish an online exemption assessment tool by 25 May 2018 to assist.
- Special provisions must be made where there is more than one data controller in respect of personal data. For example, in the case of a governing body and headteacher of a school.
- Different fee levels. There are three tiers of charges (£40, £60 and £2,900) depending on the data controller's turnover, number of staff and organisation type. Information that must be provided includes the name and address of the controller.
- Tier 1 (£40) applies to micro organisations with a turnover of up to £632,000 or up to 10 members of staff;
- Tier 2 (£60) applies to small and medium organisations with a turnover of up to £36,000,000 or up to 250 members of staff; and
- Tier 3 (£2,900) applies to organisations who exceed the turnover and numbers of staff in Tier 2.
Key information to note:
- If you have registered before 25 May 2018, you do not need to re-register in line with the GDPR. Your current registration will remain valid for 12 months and you will not need to pay the new fees until your current registration expires.
- There is a monetary penalty of £4,350 for not registering.
- The information about your Data Protection Officer (DPO) may also be collected through this process. However, this is not a requirement of the Regulations - it is just for convenience. Their name will be published if the DPO gives their consent.
- Charities and small occupational pension schemes are only required to pay the Tier 1 fee, regardless of size or turnover.
- Public authorities should categorise themselves according to staff numbers only. They do not need to take turnover into account.