The Data Protection Fee – to pay or not to pay?
On 25 May 2018, the Data Protection (Charges and Information) Regulations 2018 (the 2018 Regulations) came into force, changing the way the Information Commissioner’s Office funds their data protection work.
Under the 2018 Regulations, organisations that determine the purpose for which personal data is processed (controllers) must pay a data protection fee unless they are exempt.
The new data protection fee replaces the requirement to ‘notify’ (or register), which was in the Data Protection Act 1998, which some of you should have, and may have, paid in recent years.
Although the 2018 Regulations came into effect on 25 May 2018, this doesn’t mean everyone now has to pay the new fee. Controllers who have a current registration (or notification) under the 1998 Act (the old fee) do not have to pay the new fee until that registration has expired.
We are now seeing more and more letters and emails being sent out by the ICO to organisations who paid the old fee.
But you may or may not need to pay the Data Protection Fee if you did, or did not pay the old fee
The ICO have a very good guide and self assessment tool which will advise if you need to pay the fee. We encourage all businesses to undertake this 5 minute test – you can access it here. Question 7 is the most time consuming and may need some thought or justification, do make a note of any rationale you have used to tick the boxes in case the ICO come knocking at any point in the future, and ask why you didn’t pay the fee – if that’s what you decide to do.
Do contact us if you have any questions about this fee or about your GDPR compliance in general.
We have over 35 years experience in Data Legislation, Data Management and Data Protection. If you would like to find out more about how we help businesses with their GDPR compliance please check out our GDPR services or call us on 01635 592020.