The ICO is taking active enforcement against organisations who are not properly registered to pay the UK data protection fee.
In our earlier blog post on the UK’s New Data Protection Fee, we explained that the UK was implementing regulations (which are unique in Europe) to require payment of a registration fee to the Information Commissioner’s Office (ICO). The fee must be paid by all controllers established in the UK, unless an exemption applied.
The ICO is now actively enforcing payment of the fee and we are aware of numerous examples of organisations who are not on the register or who have not made the appropriate payment.
- Between 1 July and 30 September 2019, the ICO issued 240 monetary penalties for failure to pay the fee. Penalties range from £400 – £4000.
- The ICO is now targeting organisations who it believes have not paid the fee. They are cross checking records with other public registers (eg Companies House files) and writing to businesses who are not registered. The letters are clear – pay the fee, confirm an exemption applies, or face a fine of up to £4,350.
The vast majority of businesses will be required to pay the data protection fee, with three tiers of fee (£40 / £60 / £2,900) based on the size of the business considering the number of staff / business turnover. A self-assessment tool on the ICO website helps explain which fee needs to be paid, as well as further guidance on the fee and how to apply the exemptions – see here.
As the payment of the data protection fee is an administrative process and a strict liability risk, it is an easy area for enforcement by the ICO (and an easy thing to be accidentally overlooked by a controller). Even without the ICO’s current enforcement drive in this area, non-payment of the fee is something which can readily come to light where the controller needs to deal with the ICO on other matters – for example when reporting a personal data breach, or dealing with a complaint in relation to a data subject request. We expect the ICO to routinely cross check its register and issue fines if payment is missing.
It is worth noting that strictly speaking, the requirement to pay the data protection fee also applies to controllers which are not established in any member state but which are caught by the extra territorial application of the GDPR via Article 3. If these controllers target UK individuals, they too should consider payment of the fee.
Whilst controllers with no establishment in any member state are unlikely to receive a direct approach from the ICO as part of the current drive, if they find themselves needing to report a personal data breach, or being investigated by the ICO e.g. due to data subject complaints, non-payment is likely to come to light and be an aggravating factor in any wider compliance issue. Note that the position for these controllers is more complex in that they also need to appoint a representative based within the EU which should act as the first point of contact for any member state supervisory authority.
For more information please speak to your usual DLA Piper contact.
Robyn Palmer, DLA Piper UK LLP