08Oct

The Information Commissioner’s Office (ICO) says it has written to 34 firms and organisations highlighting that they have not paid the new data protection fee.

The data protection watchdog says it has issued formal ‘notices of intent’ to the 34 firms and organisations, which encompass “a range of organisations across both the public and private sector including the NHS, recruitment, finance, government and accounting.”

The ICO says that the new fee is necessary for it to fund new guidance services now that new data protection legislation is in force. It highlights that it has introduced new telephone and online help services, and that it has taken on a significant number of new staff in the last two years.

Despite the increase in the ICO’s cost burden, the smallest firms will still pay just £35 in data protection fees, provided they pay by direct debit. This is the same level of fee as they paid under the previous data protection regime, before the Data Protection Act 2018 and the General Data Protection Regulation came into force.

Tier 1 firms are micro-organisations, with annual turnover of £632,000 or less and no more than ten members of staff. The standard fee for these firms is £40.

Tier 2 firms are small and medium sized organisations with annual turnover of £36million or less and no more than 250 members of staff. Their fee is £60.

Tier 3 comprises large organisations that do not meet the Tier 1 or Tier 2 criteria. The fee for these organisations is £2,900.

All fees are discounted by £5 from the amounts shown if payment is made by direct debit.

The recipients of these notices now have 21 days to pay up. Any of the 34 organisations that still refuse to pay the fee will be fined up to £4,350. The exact size of any fines will be determined by the organisation’s size and turnover, and whether there are any aggravating factors, so some smaller organisations could be fined as little as £400.

The ICO also says that it is drafting more notices of intent to other organisations who have failed to pay their dues, and that these notices will be issued shortly.

Ensuring that the correct data protection fee is paid, and is paid on time, is yet another important regulatory obligation for firms of all sizes across all business sectors.

Paul Arnold, Deputy Chief Executive Officer at the ICO, said:

“We expect the notices we have issued to serve as a final demand to organisations and that they will pay before we proceed to a fine. But we will not hesitate to use our powers if necessary.

“All organisations that are required to pay the data protection fee must prioritise payment or risk getting a formal letter from us outlining enforcement action.”

The information shown in this article was correct at the time of publication. Articles are not routinely reviewed and as such are not updated. Please be aware the facts, circumstances or legal position may change after publication of the article