Has your business paid its data protection fee?
The ICO has launched a campaign to remind organisations of the need to pay their annual data protection fee.
How do businesses register for the annual data protection fee?
The Data Protection Act 2018 brought in the annual fee requirement. There are three tiers of fees:
- Tier 1 (maximum turnover of £632,000 for the financial year or no more than 10 staff members) - £40
- Tier 2 (maximum turnover of £36 million for the financial year or no more than 250 members of staff) - £60
- Tier 3 (organisations not falling into the above criteria) - £2,900
There are various exemptions from paying a fee, including if organisations are only processing personal data for staff administration purposes or for personal, family or household affairs. The ICO has an online toolkit for organisations to use to determine if they are exempt.
There is a fixed penalty for failing to pay the fee. The penalty ranges from £400 to £4,000 (with aggravating factors potentially increasing the highest penalty to £4,350) depending on the organisation’s tier.
If organisations have data privacy issues (for example a data breach) and have not already registered with the ICO, this will almost certainly result in the fixed penalty, in addition to potential further enforcement action on any other issues.
The ICO has taken various action against controllers for failing to pay a fee. It issued 340 penalties between 1 July and 30 September 2019. With the ICO’s new campaign, we can expect the number of fines to increase.
Doyle Clayton offers an auditing service to review your organisation’s GDPR processes and practices. With the ICO’s enforcement action increasing, identifying gaps can lower the risk of penalties or other enforcement action. To learn more about this, please contact Mike Hibberd or any member of the data protection team.
The articles published on this website, current at the date of publication, are for reference purposes only. They do not constitute legal advice and should not be relied upon as such. Specific legal advice about your own circumstances should always be sought separately before taking any action.