Who exactly are the ICO?
The ICO, known as the Information Commissioner’s Office, is responsible for protecting information rights in the interest of the public. They strive to ‘empower you through information’ by promoting transparency, allowing organisations to plan positively, invest and expand, including the members of the public who are able to contribute to a more efficient society. They also seek that the public hold the ICO accountable for the positive impacts made by overseeing the rules and regulations that they manage.
What Does it Mean to Process Information?
ICO describes processing as ‘taking any actions with someone’s personal data’. Until the data is destroyed securely, the data is being processed. This is regardless of whether the personal information is no longer useful or not or no data processing actions are being taken.
Examples of data processing actions include:
- Making changes to data
- Sharing
- Organising
- Deleting
- Editing
- Using
- Recording etc.
The Data Protection Fee
Under the Data Protection Act 2018, it is a legal requirement that every organisation or sole trader that process information pays the data protection fee on an annual basis. Not only does it fund the ICO’s work, but it also indicates to your customers that you highly value their information, creating a good business image. Being listed on the ICO’s register of fee payers will assure customers that your organisation prioritises data protection.
Who Has to Pay the Fee?
Generally, the fee is expected to be paid if personal data is being processed or if CCTV is utilised for the purposes of crime prevention.
Certain organisations may be exempt from paying the ICO or at a reduced fee.
You can also use ICO’s free self-assessment service to check if you need to pay the data protection fee.
If you are exempt, then you can complete the exemptions form to notify the ICO that your company is not expected to pay the data protection fee.
Who is Exempt from Paying the Fee?
If personal information is not being processed, you are exempt from paying the data protection fee. However, there are some further exemptions to this. If data is being processed for any of the reasons listed below, ICO states that you are also exempt due to the reason being ‘core business purposes’:
- Staff administration
- Advertising, marketing and public relations
- Accounts and records
- Not for profit purposes
- Personal, family or household affairs
- Maintaining a public register
- Judicial functions
- Processing personal information without an automated system
- Members of the House of Lords, elected representatives, prospective representatives
How Much Does the Data Protection Fee Cost?
Regarding the exact fee, the Parliament imposes a tier-based system and the fees are based on the level of risk that the Parliament believes are present when processing personal data. The fee is dependent on a couple of factors: size of company, turnover for the financial year, number of employees, public authority figure, charity, or small occupational pension schemes.
Tier 1 - £40
Applicable to micro-organisations: maximum turnover of £632,000 for the financial year or 10 employees or less.
Tier 2 - £60
Applicable to small and medium organisations: maximum turnover of £36 million for the financial year or 250 employees or less.
Tier 3 - £2,900
If the company does not meet requirements imposed by tier 1 and tier 2, tier 3 is applicable. This is typically applicable to large organisations.
Also, charities and small occupational pension schemes (unless they are exempt entirely from paying) will be required to pay the tier 1 fee regardless of the turnover or size. Public authorities should only consider the number of employees to determine the tier. They are not required to consider the turnover.
How to Pay
If you choose to pay the data protection fee via direct debit, ICO will offer a discount of £5 when making the payment. The other ways that you can pay include: credit or debit card (registration reference and order reference required) or cheque (registration reference or application reference required).
The fee will cover you for a full year, and the ICO will notify you before your prior payment ends so you will know when the renewal is required.
Let's Talk Penalties + More Information
As the payment of the data protection fee is a legal requirement, you can expect to receive a fine if you have either not paid the fee or if you have paid the incorrect fee (based on the tier). The maximum penalty that you can land is a £4,350 fine. As you can imagine, it’s best to use ICO’s online tool to determine if you are exempt or not and how much you are due to pay to avoid any hefty fines being issued to you!
It may be worth noting that the ICO publishes the names of the companies that have not paid the necessary data protection fee, and so consequently, you may want to consider what image is being portrayed of your business to your customers. So, speaking of complying, here's the link so that you can register your organisation with the ICO today.
Hopefully, this article has helped you understand the purpose of the ICO and how you can guarantee your organisation conforms with them. To see more articles on our platform that may be of interest to you, click here!