By James Clark and Ataikor Ngerebara
The ICO has provided some clarity on how its notification and fee regime will change when the General Data Protection Regulation (“GDPR“) enters into force from May 2018.
As expected, the ICO has confirmed that it will drop its requirement for organisations which process personal data (known as ‘data controllers’) to notify the ICO and complete an entry on its register of data controllers. This is consistent with Recital 89 of the GDPR, which calls for “indiscriminate general notification obligations to be abolished”. The abolition of general notification obligations, such as the ICO’s register of data controllers, reflects an understanding that such schemes had largely become box-ticking exercises in compliance, with little genuine effect in improving data protection outcomes for data subjects. However, multi-national organisations should note carefully the limitation of Recital 89 to general notification obligations. Many other EU Member States have implemented more specific notification requirements which relate to particular data processing activities (for example, whistleblowing or international transfers), and which in some cases require a review by the local Data Protection Authority of the relevant documentation implementing that activity. It can be argued that such requirements are not indiscriminate or general in nature, and therefore may be retained by Member States post May 2018. Consequently, there will be a requirement for organisations to continue to monitor notification requirements across the EU, particularly as they implement higher risk data processing arrangements.
Whilst the ICO is definitively dropping its notification regime, it has also announced that it will continue to levy fees from data controllers. This is unsurprising, given the increase in the volume and complexity of work which the ICO will be required to handle under the new law. Currently, notification typically requires a fee of either £35 or £500, depending on the size (by turnover or employee numbers) of the data controller.
The new funding mechanism will be put in place under the Digital Economy Act and the amount of the fee is currently being developed with an intention is to have a fair system which takes into account not only the size of the organisation, but also the relative risk of the organisation’s processing activities. The proposal at the moment is also for a three tier system, in contrast to the current two-tier system. The current limited exemptions to the notification obligation are likely to be carried over to the new funding mechanism so that data controllers who only carry out very basic forms of data processing will not be required to pay a fee. However, depending on the level of the fee, it remains to be seen whether, in practice, many organisations will take a practical risk based decision to pay the fee rather than risk being asked to demonstrate that they fit within the confines of the narrow exemptions.
The ICO aims to communicate the fees to data controllers by the end of 2017. The new model is intended to go live on 1 April 2018, however, importantly data controllers are still under an obligation to renew their notifications, where this renewal falls between now and 1 April 2018. Not renewing remains a criminal offence until the new model kicks in.
Where a data controller has recently renewed or renews between now and 1 April 2018, this renewal will run for a full year, so such organisations will not need to pay a fee until their notification under the old model expires.