The government has recently published a new ICO fee structure that will be used to fund the data protection work of the Information Commissioner’s Office (ICO). The proceeds of this new fee will be used to ensure the ICO’s required income is met as it is set to increase significantly, from £19 million in 2016-17 to £33m in 2020-21.
Currently, the ICO’s data protection work is funded by fees levied on organisations that process personal data, unless they are exempt. This is done under powers granted in the Data Protection Act 1998 but when the GDPR comes into effect, it will remove the requirement for data controllers to pay the ICO a fee. The Government, which has a duty to ensure the ICO is properly funded, has proposed this new scheme as a solution and to ensure the continued funding of the ICO.
The fee is to be based on relative risk to data and company size. Essentially, bigger companies processing more data will pay more than SMEs. Failure to pay the fee or the correct amount could result in a fine of up to £4,350, however, regulations in regards to the power of the ICO to implement fines has yet to be published.
Three Tier Structure
The new model is divided into three tiers and based on a number of factors such as company size, turnover, and type of organisation, whether it is a public authority or charity. For small organisations, the fee will be no more than the £35 while larger organisations will have to pay £2,900 as they will have larger volumes of data and represent a greater risk.
- Tier 1 – Micro organisations, maximum turnover of £632,000 or no more than ten members of staff. Fee: £40 (or £35 if paid by direct debit).
- Tier 2: SMEs. Maximum turnover of £36m or no more than 250 members of staff. Fee: £60
- Tier 3: A large organisations. Those not meeting the criteria of tiers one or two. Fee: £2,900.