Data protection law expert Kathryn Wynn of Pinsent Masons, the law firm behind Out-Law.com, said the Information Commissioner's Office (ICO) had been very vocal about the data protection fee in recent months and had backed this up with active enforcement.
Organisations responsible for how personal data is handled are generally obliged to pay a data protection fee each year to fund the monitoring of compliance and enforcement of data protection law in the UK.
A rate of £40 for micro organisations, £60 for small and medium organisations, and £2,900 for large organisations applies, with the fee payable by all data controllers operating in the UK, unless an exemption applies. The ICO issued guidance on the data protection fee last year.
Exemptions to payment apply to certain types of data processing. Businesses that do not qualify for an exemption can be fined up to £4,350 for not paying the data protection fee if "aggravating factors" apply.
"The ICO issued a series of announcements in 2018 which confirmed the attention it is giving to compliance with the data protection fee requirements," Wynn said. "After issuing its guidance in February 2018, the ICO followed up by issuing notices of intent to fine 34 organisations if they did not pay their fees in the early autumn. In a sign that non-payment of the fees is an issue not confined to one sector, the ICO said at the time that it was pursuing financial services companies, NHS bodies and recruitment companies, amongst others."
"In November, the ICO then announced that it had imposed fines on more than 100 organisations over their failure to pay the data protection fee, and it followed this up just prior to Christmas by confirming that it had opened further enforcement action against care homes that had failed to pay the data protection fee. In a new blog posted earlier this month, the ICO is once again urging businesses to pay the fee," she said.
"Altogether, the ICO's announcements and enforcement action amount to a concerted campaign and it demonstrates its willingness to clamp down on companies that fail to pay the data protection fee. Businesses that have not yet done so should examine whether they are eligible for an exemption from the fee and, if not, complete the process of payment promptly," Wynn said.
When organisations pay the data protection fee they are registered as a data controller by the ICO. Paul Arnold, ICO deputy chief executive, said this registration can have benefits beyond legal compliance for organisations.
"We speak to thousands of people and organisations every week and it’s clear that being on the register tells others a lot about you," Arnold said. "It’s a strong message for your customers – it lets them know that you value and care about their information and that you’re more likely to keep it secure and not share it inappropriately. It also lets other organisations know that you run a tight ship and that you’re aware of your data protection obligations. It indicates that you’re more likely to take your other data protection responsibilities seriously too. It’s a reassurance for those thinking of doing business with you."