The Information Commissioner's Office (ICO) has recently published an article providing some clarity on how the data processing registration and fee provisions under the current data protection regime will change with the advent of the General Data Protection Regulation 2016 (GDPR) next year.
Currently, organisations that process personal information are required to notify the ICO of their processing activities and complete an entry on its register of data controllers (unless an exemption applies). This involves explaining what personal data they collect and how they use it. This requirement forms part of the Data Protection Act 1998 (DPA) which also provides for a notification fee to be paid to the ICO for the purpose of funding its data protection work.
The ICO has confirmed that, when the GDPR takes effect on 25 May 2018, the notification requirement will be discontinued. However, the legal requirement for data controllers to pay the ICO a data protection fee will remain and will continue to be used as a means for the ICO to fund its data protection work.
Whilst the fee requirement will remain in effect, the ICO has announced that the fee structure will be modified reflecting the new funding system. The current draft proposal is a three-tier system (in contrast to the current two-tier system). This means that the amount of the data protection fee will still be based on organisations' size and turnover but will also take into account the amount of personal data organisations are processing. The aim of this three-tier system is to make it easy for organisations to categorise the fee they need to pay.
The new funding system comes into effect under the Digital Economy Act 2017 and is aimed at ensuring a fair system of fees which takes into account not only the size and turnover of an organisation but also the risk of the organisations' processing of personal data.
The amount of the data protection fee is being developed by the ICO's sponsoring department, the Department for Digital, Culture, Media and Sport (DCMS). The ICO is also involved in the process together with representatives of those stakeholders who are likely to be affected by the new funding system. Currently, the notification requires a fee of either £35 or £500 depending on organisations' size and turnover.
Under the current ICO notification and fee regime, there are certain exceptions from the requirement to notify the ICO of the organisations' data processing activities and pay the requisite fee. These include, for example, organisations that carry out basic forms of data processing (such as processing of personal data by organisations only for maintaining a public register).
It is expected that there will still be exemptions under the new fee regime but the DCMS has yet to confirm what these exemptions will be. The ICO has stated that these may be similar to those currently in place.
The new regime is intended to go live on 1 April 2018, but the ICO has stated that organisations are still required to renew their notification under the DPA until the changes come into effect. Not doing so continues to amount to a criminal offence.
As regards data protection fee payments made during the 2017/2018 financial year, it is expected that these will run for a full year. This means that organisations which pay their annual notification fee during this period will not be under an obligation to pay a new fee under the new funding model until their notification under the old model expires.
It is anticipated that the ICO will provide further updates in relation to the new funding regime by the end of 2017 when it expects to know more about this.
The ICO also intends to inform all those organisations that are already registered with the ICO and are due to renew their notification from April about the new changes. The ICO's communication to these organisations is expected to include information on the changes and on the process required to enable a smooth transition to the new regime.
Contributor: Jenai Nissim
This publication is intended for general guidance and represents our understanding of the relevant law and practice as at November 2017. Specific advice should be sought for specific cases. For more information see our terms & conditions.