The Information Comissioner’s Office (ICO) has launched a new three-tier system for data protection fees, and data controllers could now be expected to pay up to £2,900. But, as many businesses have not updated their direct debits or auto payments, they are now unknowingly failing to meet the ICO’s regulations and are being penalised. Doug Perry, partner at Clayton & Brewill, sets out the facts we know so far about the fees you may need to pay.
If you do not know whether or not you need to pay this fee, or are unsure about which tier your business falls into, we have provided ICO’s guidelines below.
What are the 3 tiers?
- Tier one – micro organisations. You have a maximum turnover of £632,000 for your financial year or no more than 10 members of staff. The fee for tier one is £40.
- Tier two – small and medium organisations. You have a maximum turnover of £36 million for your financial year or no more than 250 members of staff. The fee for tier two is £60.
- Tier three – large organisations. If you do not meet the criteria for tier one or tier two, you have to pay the tier three fee of £2,900. We regard all controllers as eligible to pay a fee in tier three unless and until they tell us otherwise.
What are the experts saying?
Paul Arnold, ICO Deputy Chief Executive, stated: “It’s the law to pay the fee, but it also makes good business sense. Because whether or not you’ve paid the fee could have an impact on your reputation. It’s a strong message for your customers – it lets them know that you value and care about their information and that you’re more likely to keep it secure and not share it inappropriately.” To read his article in full, click here.
The ICO has a fifteen minute self-assessment test where you can check to see which band your business falls into, or if you are exempt from the fee.
For full, extensive information on the changes download the ICO’s Data Protection Fee guide.
For more advice on the data protection fees or if you’d like to discuss any of the areas mentioned above, please contact us.