The UK government has revealed plans to increase the top tier of annual fees for data controllers from £500 to £2,900 in an attempt to ensure the Brit privacy watchdog has enough cash to function.
The new payment regime comes into effect with the European Union’s General Data Protection Regulation on 25 May 2018.
At the moment, data controllers – organisations or people that define how and why personal data is processed – have to register with the Information Commissioner’s Office and pay a fee of either £35 or £500, depending on their size and turnover.
The GDPR removes that obligation for data controllers – but the government has chosen to implement a new funding structure to keep money flowing into the ICO’s coffers.
The proposed scheme, which was laid before parliament yesterday (PDF) and awaits full sign-off, retains a tiered structure but increases the top payment by £2,400.
The move follows widespread concerns that the ICO is not able to cope with the demands of implementing the GDPR.
The body has already been slipped out of the strict civil service pay rules so it can offer more competitive salaries in a bid to stem its rumoured brain drain and hire and retain skilled staff.
The latest plan is part of efforts to plug a funding gap that the government said in an explanatory note (PDF) would see the ICO's "income requirements" increase from £19m in 2016-17 to £33m in 2020-21.
New fee structure to affect larger organisations
Small organisations with a maximum turnover of £632,000 or no more than 10 staff will pay £40 a year, while SMEs - defined as having a maximum turnover of £36m or no more than 250 employees - will pay £60. Previously those with a turnover of up to £25.9m and less than 250 staff members paid up £35.
But now, any data controller that is larger than 250 or has a turnover of more than £36m will have to cough up £2,900 a year - and the ICO said it will regard all controllers as eligible to pay this fee “unless and until they tell us otherwise”.
The government acknowledged that most data controllers that paid £500 would now pay £2,900, which is an above-inflation increase ("an inflationary increase would have seen the £500 fee rising to £623.61 in 2017", it said).
But, it argued, the higher fee is necessary because it “reflects the increased level of information risk inherent in this category of data controllers”.
There are some discounts though: public authorities only have to go by staff numbers, while charities pay £40, regardless of size or turnover, and anyone who pays by direct debit gets £5 off.
Meanwhile, bodies that are only processing personal data for certain purposes – including staff administration, maintaining a public register and processing without an automated system like a computer – don’t have to pay at all.
Non-payment of fees is still punishable with fines of up to £4,350, but these will now be civil monetary penalties rather than criminal sanctions. ®