Data protection self-assessment: are you up-to-date?
25 May 2018 saw the introduction of a new data protection regime in the UK. As part of the changes, a new data protection fee structure now applies, which replaces the previous requirement to register with the Information Commissioner’s Office (ICO). Here, we consider the rules in more detail.
The regulations: an overview
On 25 May 2018, the Data Protection (Charges and Information) Regulations 2018 came into effect, alongside the General Data Protection Regulation (GDPR).
The GDPR has strengthened the obligations on all organisations that deal with individuals living in an EU member state to safeguard the personal information belonging to those individuals, and to retain verified proof of this protection.
As part of the Data Protection (Charges and Information) Regulations 2018, businesses and individuals which process sensitive information – regardless of their compliance with the GDPR – must pay an annual data protection fee to the ICO, unless they are exempt. Exempt organisations are generally those which:
- manually process data
- process data for personal, household or family purposes
- process data for the purpose of maintaining a public register
- handle data for staff administration purposes
- utilise data in order to advertise or market the controller’s own activities
- perform judicial functions
- operate as a not-for-profit body, and process data for specific purposes.
An exemption also exists for the purpose of keeping accounts and records and making financial forecasts, except where the data in question was obtained from a credit reference agency.
The new fee structure
Organisations and individuals which handle personal information are termed ‘data controllers’. It is data controllers who are responsible for paying fees to the ICO.
A new fee structure has been introduced, which replaces the previous requirement to ‘notify’ (or register) under the Data Protection Act 1998:
- a Tier 1 fee of £40 is payable by micro organisations with a maximum turnover of £632,000, or no more than ten members of staff
- a Tier 2 fee of £60 is payable by small and medium-sized organisations with a maximum turnover of £36 million, or no more than 250 employees
- if you do not meet the criteria for Tier 1 or Tier 2, the Tier 3 fee of £2,900 applies.
Controllers who have a current registration under the 1998 Act do not need to pay the new fee until their existing registration has expired.
Any data controller who processes personal data, or is responsible for the processing of personal data, and either fails to pay a fee, or fails to pay the correct fee, is breaking the law and could be subject to significant penalties. The maximum penalty is £4,350, which equates to 150% of the top tier fee.
Ensuring you are compliant
The ICO provides a free self-assessment tool: https://bit.ly/2HFyNMM. It has also developed a data protection self-assessment toolkit specifically for small and medium-sized enterprises, which contains assurance checklists, alongside support in regard to the security of information, direct marketing, the management of records, data sharing, and the data protection rules relating to CCTV.
Staying up-to-date with the data protection regulations could help you to avoid significant penalties.