Your first step to GDPR Compliance is to register your business with the Information Commissioner's Office.
All organisations, companies and sole traders that process personal data must register and pay an annual fee to the ICO (Information Commissioners Office) unless they are exempt. This follows regulations which came into force alongside the new Data Protection Act and GDPR on 25 May 2018. Non compliance has been in a grace period but now the ICO is starting to issue fines for non compliance:
Paul Arnold, Deputy Chief Executive Officer at the ICO, said:
"Following attempts to collect registration fees via our robust collection process, we are now left with no option but to issue fines to organisations. They must now pay these fines within 28 days or risk further legal action.
“You are breaking the law if you process personal data or are responsible for processing it and do not pay the data protection fee to the ICO. We produce lots of guidance for organisations on our website to help them decide whether they need to pay and how they can do this."
You don’t need to pay a fee if you are processing personal data only for one (or more) of the following purposes:
- Staff administration
- Advertising, marketing and public relations
- Accounts and records
- Not for profit purposes
- Personal, family or household affairs
- Maintaining a public register
- Judicial functions
- Processing personal information without an automated system such as a computer.
- Since 1 April 2019, members of the House of Lords, elected representatives and prospective representatives are also exempt.
How much is it to register?
The size of your business will determine how much you have to pay each year. There are three payment tiers that you need to be aware of. The tier your business falls into will depend on a number of factors, such as the number of employees you have, what your firm’s annual turnover is, and whether you are a public authority or charity.
Tier 1 - £40
(£35 paid by direct debit) for microorganisations with a maximum turnover of £632,000 or no more than 10 members of staff.
Fine for non-payment: £400
Tier 2 - £60
For SMEs with a maximum turnover of £36 million or no more than 250 members of staff.
Fine for non-payment: £600
Tier 3 - £2,900
For large organisations exceeding the criteria of Tier 1 & 2.
Fine for non-payment: £4,000 +
Whats the fee for?
The money collected from the data protection fee funds the ICO’s work to uphold information rights such as investigations into data breaches and complaints, advice line, and guidance and resources for organisations to help them understand and comply with their data protection obligations.
If you need advice or assistance then please get in touch.