You get what you pay for, or not? GDPR to extinguish ICO notification requirements, but ICO fees to remain

From 1 April 2018, a new data protection fee system will be launched that will change how organisations pay fees to the Information Commissioner’s Office (ICO).

Currently, the processing of personal data by organisations is governed by the Data Protection Act 1998 (DPA). The DPA requires organisations to:

• notify the ICO regarding what personal data they are collecting and how they are processing it; and
• pay a notification fee to the ICO of either £35 or £500, based on the organisation’s size, turnover and the amount of personal data it is processing.

Following the direct effect of the GDPR into UK law on the 25 May 2018, although an organisation will have an obligation to keep detailed records of how it processes personal data, it will no longer be required to notify the ICO with details of its processing activities.

However, although the requirement to notify the ICO is to be abolished, a legal requirement for data controllers to pay the ICO a data protection fee will remain. On its website, the ICO notes that retaining a fee mechanism is necessary in order to fund the data protection work it undertakes.

Under the new fee system, which is being developed under the Digital Economy Act 2017, the level of fees an organisation will be required to pay will continue to be dependent on the size of the organisation and how much personal data it processes. A three-tiered system is currently envisaged, which the ICO hopes will simplify the categorisation of organisations and allow organisations to easily categorise themselves. The final fee structure is due to be approved by Parliament after being ratified by the ICO, the ICO’s sponsoring department, the Department for Digital, Culture, Media and Sport and representatives of those likely to be affected by the change.

The ICO does not discuss the impact of Brexit on this new fee structure. However, given that the new system is being implemented under UK legislation, it will apply post-Brexit. This will be the case even though the GDPR will cease to apply, given that the UK government intends for its Data Protection Bill (Bill) to replace the GDPR at this time.

The Bill, which is currently progressing through Parliament, would effectively implement the GDPR into UK law domestic law, while making use of derogations available under the GDPR and also creating new criminal sanctions.

What does this change for data controllers at the moment?

• If you are due to renew your notification shortly, you should continue to renew as usual. It is a criminal offence to not notify the ICO if this is a requirement for your organisation under section 17 of the DPA.
• If you have already renewed, the ICO has advised that it expects annual renewals made before 1 April 2018 to run for a full 12 months. On that basis, your organisation will not have to make a payment under the new system until your notification under the old system expires.

For more information about data protection or the GDPR, please contact Alan Nelson, Duncan Turner or Jennifer Barr.