Organisations responsible for how personal data is handled are generally obliged to pay a data protection fee each year to fund the monitoring of compliance and enforcement of data protection law in the UK.
A rate of £40 for micro organisations, £60 for small and medium organisations, and £2,900 for large organisations applies, with the fee payable by all data controllers operating in the UK, unless an exemption applies. The Information Commissioner's Office (ICO) issued guidance on the topic of the data protection fee earlier this year.
Exemptions are attached to certain types of processing. For example, an exemption applies where organisations only process personal data for staff administration purposes, advertising, marketing and public relations purposes, and/or accounts and records purposes, other than when processing personal data by or obtained from a credit reference agency.
Data controllers that do not process personal data by automated means, or with the intention that it be processed by automated means, are also exempt from the fee.
The Department for Digital, Culture, Media and Sport (DCMS) had given organisations the opportunity to lobby for other new exemptions to be introduced in a consultation exercise earlier this year.
However, following its review, the department has now confirmed that it will only introduce one new exemption – for all processing relating solely to standing for or fulfilling the office of all categories of elected representatives, and peers.
Earlier this autumn, the ICO announced that it had initiated enforcement action against 34 organisations, including financial services companies, NHS bodies and recruitment companies, for failing to pay the data protection fee.