10 October 2017
As the GDPR live date gets ever nearer, we provide you with the relevant updates you need.
Registration with the ICO
Under the current Data Protection Act 1998 (DPA) before an organisation can process personal data, it must notify the ICO and pay a fee for the privilege. This involves telling the ICO what data the organisation collects, and how that data is used. Under the GDPR there is no obligation to inform the supervisory authority that you are processing personal data. For organisations with over 250 employees, there is an obligation to record data processing which is seen as an enhanced form of notification and is part of how an organisation can demonstrate accountability. However in the UK, there will still be a requirement to notify the ICO and the fee structure is changing from 1 April 2018.
How is the ICO funded?
Unlike many of the data protection watchdogs across the EU, the ICO is not funded by the fines that it imposes on those that have breached data protection requirements. Instead, it is funded by the notification fee. This has always been one of the big differences in approach between the UK and other EU countries when it comes to the funding of data protection regulation and enforcement. The ICO’s EU counterparts have often been criticised for imposing higher fiscal fines on breaching data controllers because by imposing higher fines, those regulators can increase their own operating budget. The ICO on the other hand must hand over any money it receives from fines to the Government.
Data Protection Fees
The notification fees that a data controller currently pays range from £35 to £500, depending on the size of the organisation. Although the GDPR will remove the requirement for an organisation to inform the ICO before it collects and processes personal data, the legal requirement for data controllers to pay a fee to the ICO will remain unchanged.
IN a recent blog, the ICO has indicated that the new data protection fee structure will come into effect on 1 April 2018. The fees that will be paid are still being finalised by the Department for Digital, Culture, Media and Sport, in consultation with the ICO and other stakeholders. Ultimately, Parliament will approve the final fees before they go live.
The ICO has said that the new fee structure is designed to fairly reflect the level of risk involved in processing personal data. However, the fee payable by a data controller will still mainly depend on the size and turnover of the organisation, as well as how much data it processes.
We should receive further information on the new fee structure by the end of 2017.
For more info visit our GDPR updates page.
Paul Motion, Partner and Solicitor Advocate, firstname.lastname@example.org / T: 0131 222 2939