No ICO notifications but fees continue under GDPR
The Information Commissioner’s Office (ICO) has provided guidance as to how its notificationand fee regime will change when the General Data Protection Regulation (GDPR) comes into force in May 2018.
The ICO has ended the need for data controllers to notify and complete an entry on its register of data controllers. Currently, notification requires a fee of either £35 or £500, depending on the size of the data controller.
The ICO has however announced that it will continue to levy fees from data controllers so as to fund its increased workload from May 2018. The new process that will be put into place under the Digital Economy Act is a three tier system which categorises and charges fees to data controllers according to their size (number of employees and turnover) and the amount of data they process.
The ICO remains in discussions with the Department for Digital, Culture, Media and Sport (DCMS) as it develops the new system. Proposed annual fees will range from up to £55 for Tier 1 organisations, up to £80 for Tier 2 organisations and up to £1000 for Tier 3 organisations.
The intention is therefore to create a fair and simple system of funding and the DCMS will confirm later on in the year if current limited exemptions to the notification obligation are likely to be carried over to the new funding system, so that data controllers who only carry out data processing for purposes such as judicial functions, marketing their own business and staff administration will not be required to pay a fee.
The new model is intended to go live on 1 April 2018, however data controllers are still under an obligation to renew their notifications, where this renewal falls between now and 1 April 2018. Not renewing remains a criminal offence until the new model kicks in.
Why is this important?
The abolition of the obligation to register as a data controller reflects an understanding by the ICO that such schemes had largely become box-ticking exercises and is one of the few areas where the GDPR appears to lighten the administrative burden for data controllers.
The abolition is consistent with Recital 89 of the GDPR, which calls for “indiscriminate general notification obligations to be abolished”.
Any practical tips?
Multi-national organisations should note carefully the limitation of Recital 89 to general notification obligations. Many other EU Member States have implemented more specific notification requirements which relate to particular data processing activities (for example, whistleblowing or international transfers), and it can be argued that such requirements are not indiscriminate or general in nature, and therefore may be retained by Member States post May 2018. Consequently, there will be a requirement for organisations to continue to monitor notification requirements across the EU, particularly as they implement higher risk data processing arrangements.