The Government has published draft regulations to implement a new charging regime to replace the current notification process under the Data Protection Act 1998.

The current notification fees help to fund the Information Commissioner's Office. The regulations are necessary because the General Data Protection Regulation, which replaces the DPA from 25 May 2018 does not provide for a scheme under which controllers must notify or register with their national supervisory authority.

How much will I pay under the new scheme?

The draft regulations set out a three tier approach:

  • Tier 1 (micro organisations, charities and small occupational pension schemes): £40
  • Tier 2 (small and medium organisations): £60
  • Tier 3 (large organisations): £2,900

Those organisations that qualify as a large organisation will face the biggest increase in fees - they currently pay £500 a year. There will be a £5 deduction for paying by direct debit.

As with the current regime, many organisations will be exempt from the requirement to pay a fee.

How do I know which tier applies?

Tier 1 includes organisations with a turnover of less than £632,000 or no more than 10 members of staff, together with charities and small occupational pension schemes.

Tier 2 includes organisations that do not fall into Tier 1, but have a turnover not exceeding £36m or no more than 250 members of staff.

Any other organisation will fall into Tier 3. For the purposes of determining which tier a public authority falls into, only the number of employees is considered.

Must all organisations pay the charges?

As with the current regime, the fee is not payable if an organisation only processes personal data for exempt purposes.

The exemptions under the new scheme will be slightly wider. In addition to the current exemptions for processing only for staff administration, advertising, marketing and public relations, accounts and records, and administration of membership of a non-profit organisation, the following are added to the list:

  • Personal, family or household affairs
  • Maintaining a public register
  • Judicial functions
  • Processing personal information without an automated system such as a computer

The exemptions apply only if you process personal data only for exempt purposes. If you process personal data for any other purposes then the exemption does not apply.

It will be important to review the exemptions closely. For example, if you maintain a blog and endorse or promote businesses then the personal, family and household affairs exemption will not apply. The ICO has published guidance on the exemptions on its website.

When does the new charging regime commence?

The new fees apply from to new registrations and renewals from 25 May 2018. If your current notification expires before then you should renew as normal.

Under the new scheme, controllers will no longer need to notify the ICO of their data processing activities. The information required is simply that which is necessary for the ICO to administer the new fee regime. However, if you are required to have a Data Protection Officer under GDPR then you will also be required to provide the ICO with his or her contact details.

What happens if I do not pay the required fee?

A failure to pay the fee, or not pay the correct fee, may be subject to a fine of up to £4,350. Regulations covering the power of the ICO to impose a fine have not yet been published.

Where can I find out more?

You can download the draft regulations from here (PDF).

Updated 16 April 2018: the regulations have now been finalised and will come into force on 25 May 2018.

You can download the ICO's guide to the new charging scheme on the ICO website.

To find out how GDPR impacts on your organisation, visit our GDPR Hub or contact me or another member of our Information Law team.


Martin Sloan