Unpaid Data Protection Fee
Data Protection Fee, UK Data Protection, hasn’t gone unnoticed that the Information Commissioners Office (ICO) has started its program of contacting organisations who haven’t paid their data protection fee; the roll out of compliance with the GDPR and DPA 2018 continues.
From May 2018 the every organisation or sole trader in the UK that processes personal data were required to pay a data protection fee to the ICO (though there are some exceptions), and would appear that the ICO is now taking steps to ensure everyone has paid. They have started the process of comparing the data protection register with organisations listed on Companies House, and from those records they are contacting everyone who is not yet registered.
If you receive such a letter some of the questions you’ll need to ask yourself are ‘Is the company exempt?’ and if it’s not then ‘What tier does the company fall into?’, of which there are three. Then the bigger questions ‘Is the company actually compliant with new data protection regulations?’
Data Protection Representative
It’s important to be aware that since Brexit a couple of other requirements have come into force. UK based organisations that process the data of EU citizens will need to appoint an EU Representative under article 27. Likewise, organisations that are based in the EU and process data belonging to UK citizens will need to appoint a UK Representative. If you need help to determine if you need to appoint a representative please contact a member of our data protection consultancy team who will be happy to assist.
Paying the UK Data Protection Fee
Paying the data protection fee isn’t especially difficult, the ICO has an online payment portal (https://ico.org.uk/registration/new) that you can use, and if you receive a letter reminding you to pay the data protection fee they will give you about a months grace to take care of it. The last thing you should do in this situation is ignore it, the ICO can fine an organisation up to £4,350 for not having paid the fee (or for having registered as the wrong tier), and considering the cost for a Tier 1 organisation is only £40.00pa and Tier 2 is £60.00 pa (Tier 3 being £2,900) it’s certainly more cost effective to pay the fee than pay the penalty.
There are other tools available on the ICO website that can help; they have a self-assessment process (https://ico.org.uk/for-organisations/how-much-will-i-need-to-pay/) which can help you determine which tier your company fits into.
Remember that the data protection fee applies to ‘Organisations that are Data Controllers’ and separate fees must be paid for individual companies. If you have multiple sites that are part of the same legal entity then a single fee would cover all of them, but if you own multiple limited companies that process personal data in their own right then they will each need to register with the ICO as a separate entity and pay the required data protection fee.
Ultimately when it comes to the GDPR, the Data Protection Act 2018 and the ICO, the best offense is a good defence. Any decent DPO worth their salt would be able to help an organisation address and update it’s compliance status from a ‘top down’ perspective, ensuring that compliance measures, security controls and the culture of data protection starts in the board room and permeates through every level of the business.
If you receive a letter from the ICO (or from any third-party organisation or authority) that calls into question the compliance of your business it’s best to be prepared. We would recommend consolidating your risk in a single compliance strategy that would show accountability. This is something that is key to every organisations data protection compliance, accountability; as every company operates differently, no two will have exactly the same compliance strategy (other than the standard mandatory compliance measures of course), so your approach has to be specific and appropriate, and you should be able to show that the company is accountable for the decisions that went into creating that approach.
The larger the organisation the more considerations have to be made, and the more people have to be involved, which of course means it will take longer to implement. For smaller businesses, those in the SME sector, this doesn’t have to be a painful process at all. If you need any help working out your own data protection fee, or if you’d like to consider appointing an external independent (and affordable) DPO, then give Ametros Group a call; We’re always happy to help.
Be vigilant for scams, we are aware a number of businesses have been contacted for payment of the data protection fee by fraudsters. You should only pay the data protection fee by visiting the ICO’s website and selecting Pay fee, renew fee or change your details from the menu provided.
Top Tip: When paying the Data Protection Fee make sure you select to pay by direct debit, this way you will wont risk missing registration next year. Paying via direct debit is a quick and reliable method to make sure you remain registered with the ICO. Failure to keep up with your Data Protection Fee can result in monetary penalties under the UK Data Protection Act 2018. It’s important that you pay the correct fee and review this on an annual basis to avoid complacency. If in doubt, we recommend you speak to a member of our team here at Ametros, we can help guide you to make the right decision on which data protection fee you need to pay, and our data privacy experts can help ensure you remain complaint with an annual compliance review.
About Ametros Group
Ametros Group is a multi-award winning data privacy outsourcing provider. The company helps organisations to comply with various data privacy laws including EU GDPR and the UK Data Protection Act 2018 through consultant led compliance framework, GDPR implementation, auditing, Data Protection Officer outsourcing and EU/UK Representative services. Established in 2015, our multi-award winning team of data protection consultants have worked with FTSE100, Fortune500 and SMEs to deliver data protection consultancy excellence around the globe.
Press Contact
Ametros Group
press@ametrosgroup.com
Connect with Ametros Group
Together we can improve data privacy standards