Privacy & Information Security Law Blog

The cost to register as a data controller in the United Kingdom is likely to increase significantly later this year, rising from £35 to £500 for companies with annual sales of at least £25.9 million and 250 or more employees.

The UK Information Commissioner has proposed a two-tiered fee structure as part of the Data Protection (Notification and Notification Fees) (Amendment) Regulations 2009 (the “Regulations”).  The Regulations are expected to come into force as of October 1, 2009.

Pursuant to the Data Protection Act 1998, all organizations that process personal data in the UK as data controllers must notify the Information Commissioner's Office (the “ICO”) of such processing activity and register as a data controller.  Failure to register is a criminal offense punishable by a fine of up to £5000 in a Magistrates’ Court, or an unlimited fine in the Crown Court.

The proposals currently before Parliament would require companies with annual sales of £25.9 million and 250 or more employees to pay the ICO an annual notification fee of £500.  Government entities with 250 or more employees would be subject to the increased fee as well, although charities and small occupational pension schemes would continue to pay the £35 fee.

The explanatory memorandum accompanying the Regulations indicates that the increases are necessary to reflect the true administrative costs and resources the ICO dedicates to regulating large data controllers.  The ICO’s funding has not increased since the Data Protection Act came into force, and additional regulatory requirements and enforcement powers due to come into force  in early 2010 will place the ICO’s budget under even greater strain.  That said, the ICO’s research indicates that less than 4% of UK data controllers will meet the threshold requiring them to pay the higher fee, so it is unclear whether the cost increase will have a material impact on the ICO’s revenue.