The Information Commissioner’s Office (ICO) has recently sent out notices of intended fines to organisations that have yet to pay the fees that they owe for processing personal data. At present all organisations doing this must pay a fee to the ICO unless they are exempt. The ICO has made a fee calculator and guidance notes available to assist organisations to calculate what, if anything, they owe. The fine notices have been sent to both public and private sector organisations including the NHS, government organisations and recruitment firms.
If an organisation was registered before 25th March 2018 for data-processing, so under the Data Protection Act 1998 rather than the 2018 Act incorporating GDPR, no fees are payable until that registration has expired. If not, three tiers of fees apply depending on the size and turnover of an organisation and whether it is a public authority or charity. Broadly speaking, small organisations pay £40, medium sized organisations £60, and large organisations £2,900. The fee calculator explains how the tiers are defined.
The fees are intended to fund the ICO’s data protection work and the services it offers, and came into force on 25th May to coincide with the Data Protection Act 2018. Failure to pay is now a civil offense under GDPR.
The organisations that have received notices of intended fines have 21 days in which to respond. The action stops if they pay, but fines may be issued if they ignore the notices or refuse to pay. There is a range of fines from £400 to £4,000, but under certain circumstances they may reach £4,350. More notices are expected to be issued soon, the ICO says.
Have a question? Contact Alison via email for more information.