Privacy & Information Security Law Blog

EU data protection authorities (“DPAs”) are proving their willingness as enforcers with respect to the GDPR, not just with regard to the most serious acts of non-compliance but also for errors of a more administrative nature. Under the previous regime, DPAs typically required companies to register their processing activities with the regulator, but the GDPR now permits organizations to maintain data processing inventories internally, only showing them to DPAs when there is a particular need to do so. In the UK, the Information Commissioner’s Office (“ICO”) introduced a requirement for organizations to pay a “data protection fee,” which data controllers falling under the ICO’s scope must pay once a year. Those companies that fail to pay the fee risk incurring a fine of up to £4,350 each.

Between September and November of this year, more than 900 organizations have received notification from the ICO of its intent to fine as a result of their failure to pay the data protection fee. The notifications have been delivered to organizations operating across a number of sectors, from construction to finance, and more than 100 companies have had fines levied against them, with the proceeds contributing to the UK Treasury’s Consolidated Fund. Those notified were given eight days to pay the fine before further legal action was taken by the ICO.

For small organizations, with no more than 10 members of staff and revenues of less than £632,000, the fee is limited to £40 per year, but for the larger organizations, reporting revenues of more than £36 million and employing more than 250 staff members, the required fee is a more sizeable £2,900, based on the increased level of risk the company and its data processing activities present. The fee supports the ICO, which now employs 670 staff members in the UK, in conducting its investigations, providing advice, and preparing guidance relating to the UK’s data protection regime. The specific charges levied are now set out in the UK’s Data Protection (Charges and Information) Regulations 2018.