In November 2018, the Information Commissioner’s Office (ICO) issued its first fines to organisations that failed to pay the data protection fee. I know what you are expecting – a handful of fines to make an example of certain offenders, right?… Wrong!
Over 900 notices of intent and 100 penalty notices were issued.
September to November’s round of fines and notices did not discriminate against size or turnover and it wasn’t only the “big players” that met their match in the ICO. Instead, it was businesses of all sizes in sectors such as childcare, recruitment, construction, business services and manufacturers. These organisations were fined under the new regulation for failing to renew their fees following their expiry and the ICO say “more fines are set to follow”.
All organisations, companies and sole traders that process personal data must pay an annual fee to the ICO unless they are exempt. Fines for not paying can be up to a maximum of £4,350.
The fee is not a new concept. Controllers pre-May 2018 were required to pay a registration fee to the ICO, although many didn’t. Why?
Well, failure to notify the ICO was a criminal offence rather than a civil wrong. This sounds more serious, but it was actually much more difficult to enforce. The standard of proof is lower in civil cases, meaning that a monetary fine for non-compliance is much easier to obtain than a criminal conviction. Not to mention the wide criminal defences that were available.
The new Regulations have however created a registration fee with civil ‘teeth’ – the Data Protection Fee – and the ICO are clearly not afraid to use it. The effort is now worth the ICO’s time due to increased prospects of success and has the added bonus of encouraging payment of the fee (one of the ICO’s means of funding its data protection work).
What happens if I do not pay and I am not exempt?
If you are already registered with the ICO, a reminder will first be sent to you prior to the expiry of the ‘old’ fee period. If unpaid within 14 days of expiry, a notice of intent will then be sent. On the face of it, this seems onerous towards businesses given the short timescale for payment. What if the DPO is sunning themselves on well-deserved annual leave? To put it simply – this is not the ICO’s problem.
Penalty notices are appealable, free of charge, to the Information Tribunal however the advice is to not let it reach this point, if possible. The fine is one thing, but reputational damage may be harder to repair.
The very simple solution is to pay the fee and set-up suitable business systems to ensure the fee is renewed on time. If you haven’t already registered, now is the time to do so. Check whether you must pay the fee using the Information Commissioner’s Office’s self-assessment tool. The fees are as follows:
• Tier 1 – micro organisations. Maximum turnover of £632,000 or no more than ten members of staff. Fee: £40
• Tier 2 – SMEs. Maximum turnover of £36million or no more than 250 members of staff. Fee: £60
• Tier 3 – large organisations. Those not meeting the criteria of Tiers 1 or 2. Fee: £2,900.
June 2019 update: Farrow and Ball’s appeal to a fine imposed due to an overdue fee payment was rejected.
The reasons for the overdue payment included a person being on holiday and an internal member of staff not recognising the importance of ICO correspondence. Farrow & Ball argued that it had learned from its mistake and put procedures in place to ensure the failure to pay would not happen again. Despite this, it was not enough to avoid the fine and the appeal was rejected.
This paints a risky picture for intentional AND unintentional Data Protection Fee non-payers.
Add the date your diary in big bold letters, set an outlook reminder or assign more than one member of staff to the task of payment – do whatever it takes to make sure that you have a system to avoid this expensive mistake.