Under current law, organisations that process personal data are required to register with the UK regulator, the Information Commissioner’s Office (ICO). So what if anything changes in light of the new General Data Protection Regulation (GDPR) in force from 25th May 2018?
The current ICO system
Under the Data Protection Act 1998, organisations that are classed as ‘data controllers’ (i.e. those that use personal data of any sort, even email addresses and phone numbers) must notify the ICO and pay a notification fee. The ICO calls this ‘registration’ and you can see what’s required on the ICO website. Less than a million organisations are registered with the ICO which suggests that many of the UK’s smaller businesses are not signed up. Note that if you are a data controller and you haven’t notified the ICO then you’re committing a criminal offence!
The fee for small businesses is currently £35 a year. Only those with a turnover of £25.9million and more than 249 members of staff (or public authorities with over 249 members of staff) pay more.
ICO fees post GDPR
The ICO has advised that the mechanism and fees are changing when GDPR comes into force on 25th May 2018. All data controllers must pay a fee to the ICO – this funds the ICO’s work (contrary to some reports, the ICO doesn’t get any income from fines it imposes). This is no longer considered a ‘registration’ but a ‘fee payment’. The fee for small businesses remains at £35 a year if you pay be direct debit (which is handy so that you don’t forget to renew).
It’s important that you keep paying these fees. The ICO can impose financial penalties on companies that do not pay. While it might not be likely that the ICO will chase thousands of microbusinesses for unpaid fees, the impact on your company’s reputation of an ICO fine could be large.
The ICO will continue to publish a list of all fee-paying companies, so it will be obvious to your customers and competitors that if you’re not on that list, you’re not paying your fee!