Keep up to date with our blog articles, latest news and industry developments. See below for the latest posts or use the category listings to hone your search for stories of interest.
ICO clarifies registration and fee requirements under GDPR
Data controllers will continue to pay fees to ICO after GDPR comes into effect.
Despite the GDPR abolishing the need for data controllers to register with supervisory authorities, the ICO has announced that the requirement to pay a registration fee will remain due to a provision in the UK’s Digital Economy Act (Act).
Under the Act, a data controller must pay a fee to the ICO based upon the relative risk of its data processing activities. The Act has defined a data controller as the person or organisation who ultimately determines the purpose and means of the processing of personal data. The fee itself will be influenced by the size and turnover of the organisation, as well as its exposure to data processing activities.
ICO has reported that the basis for continuing to charge a fee is to allow the regulator to continue its data protection work.
In implementing this new system, the ICO has set out a three-tier system, categorising organisations based upon both the amount of personal data they process, as well as number of employees and turnover. The ICO has stated that they envisage the tier system to be simple and user-friendly, allowing organisations to easily categorise themselves.
At present, ICO remains in discussions with the Department for Digital, Culture, Media and Sport (DCMS) as it develops the new system. A recently published consultation reports appear to suggest that the annual fee will range from up to £55 for Tier 1 organisations, up to £80 for Tier 2 organisations and up to £1000 for Tier 3 organisations.
The ICO has also provided guidance in relation to organisations which are due to re-register prior to the implementation of the new regime, emphasising that compliance with the current rules is still necessary until further notice is provided. Further guidance is expected from the ICO towards the end of the year.
The removal of the obligation to notify the ICO of processing activities was one of the few areas where the GDPR appeared to attempt to lighten the administrative load for data controllers. Therefore, the confirmation of the newly imposed fee is slightly disappointing although perhaps a necessary mechanism for the ICO to create revenue. In the meantime, organisations will be trying to keep up to date with any guidance published by the regulator to ensure they are as compliant as possible before 25 May 2018.
For more blog posts on the GDPR click here.
Disclaimer: This article is produced for and on behalf of White & Black Limited, which is a limited liability company registered in England and Wales with registered number 06436665. It is authorised and regulated by the Solicitors Regulation Authority. The contents of this article should be viewed as opinion and general guidance, and should not be treated as legal advice.