18 Jul 2019 4:15 PM

It's over a year since GDPR was introduced. Most businesses have become more aware of their use of data, of keeping it secure and of the rights of the individual to privacy.  Despite the publicity around the introduction of GDPR and what it means for businesses, we regularly hear media reports of organisations who continue to flout the rules.  

As part of the regulation, eligible businesses are also legally obliged to pay an annual data protection charge.

Here is an at a glance summary of what businesses need to do and how to tell if your organisation is exempt.  

What is the annual data charge?

All businesses (including sole traders and partnerships) that process personal data are required to pay an annual data protection charge to the Information Commissioner’s Office (ICO) unless a relevant exemption applies.

Why should I pay?

It is a legal requirement to pay the charge, and failure to do so could result in a fine, but it also makes good business sense as it could have an impact on your business reputation.If you are a data controller and do not pay the charge, or you pay the incorrect charge when required to do so, then you risk enforcement action by the ICO. The maximum fine is £4,350.

How much do I pay annually?

That will depend!There are three tiers:

  • Micro organisations (including sole traders) pay £402.      

  • Small & medium organisations pay £603.      

  • Large organisations pay £2,900

Some organisations such as Charities pay £40 regardless of size.

How are the tiers measured?
  1. Turnover £632K or no more than 10 employees;

  2. Turnover £36m or no more than 250 employees;

  3. Outside the above.

What do I get for my money?

ICO use the data protection fee to fund their data protection work.They do not keep any money received in fines but pass it directly to the Government.Once you have paid, your business details are published on the Information Commissioner’s register of data controllers.

How do I know if I am exempt from this charge?

There are a range of exemptions that apply to this charge.In order to determine if payment is necessary, you can use the

self-assessment tool on the ICO website.

https://ico.org.uk/for-organisations/data-protection-fee/self-assessment/

Use of CCTV

From 25 May 2018, people who use CCTV for domestic purposes, ie to monitor their property, even if it films beyond the boundaries of their property will be exempt from paying a fee under data protection law.However, if images are caught outside of your boundary then this does not negate your responsibility as set out by the ICO and data protection laws related to these.Use of CCTV for business purposes is caught under the regulations and clear policies need to be operated.

How are Multi Academy Trusts (MATs) affected?

Under the multi academy trust arrangements, the MAT is responsible for the activities of all the schools in the MAT, even though some functions may have been delegated to local Heads of School or Local Governing Bodies. Ultimate responsibility lies with the MAT.

Providing the schools and academies within the MAT do not have any legal status separate from that of the MAT, the MAT is the legal entity responsible for the processing of personal data by the schools and the academies with the MAT. The MAT would be the data controller for the processing and required to pay a data protection fee. 

If the schools or academies within the MAT are not separate legal entities, we also recommend the schools or academies within the MAT are shown as trading names on the MAT entry. It is important that parents and children are able to see who is responsible for processing of personal data.

Do not-for-profit organisations need to pay a fee?

You do not have to pay a fee if your organisation was established for not-for-profit making purposes and does not make a profit or if your organisation makes a profit for its own purposes, as long as the profit is not used to enrich others. You must:

  • only process information necessary to establish or maintain membership or support

  • only process information necessary to provide or administer activities for people who are members of the organisation or have regular contact with it; 

  • you only hold information about individuals whose data you need to process for this exempt purpose

  • the personal data you process is restricted to personal information that is necessary for this exempt purpose

  • only keep the information while the individual is a member or supporter or as long as necessary for member/supporter administration