GLD Vacancies

GDPR: goodbye notification, hello fees

Money iStock 000008683901XSmall 146x219Ibrahim Hasan looks at how the Government intends to ensure the Information Commissioner's Office is funded when the General Data Protection Regulation replaces the Data Protection Act.

Currently under the Data Protection Act 1998 (DPA), most Data Controllers have to go through a process of Notification with the Information Commissioner’s Office (ICO). This is a simple process, which involves completing an online form telling the Commissioner about their data processing activities. This appears on a publicaly searchable online register. It costs £35 or £500 to notify depending on the type of organisation.

Failure to notify is a criminal offence under section 17 of the DPA. In September 2016, a recruitment company was found guilty of this offence and ordered to pay a fine of £5,000, costs of £489.85 plus a victim surcharge of £120.

The General Data Protection Regulation (GDPR) come into force on 25 May 2018 replacing the DPA. There is no notification process under GDPR. However Article 30 does require Data Controllers as well as Data Processors to keep detailed records of their data processing activities depending on the size of the organisation. There are some similarities with “registrable particulars” under the DPA which must be notified to the ICO:

  • Name and details of the organisation (and where applicable, of other controllers, any representative and data protection officer)
  • Purposes of the processing
  • Description of the categories of individuals and categories of personal data.
  • Categories of recipients of personal data
  • Details of transfers to third countries including documentation of the transfer mechanism safeguards in place
  • Retention schedules
  • Description of technical and organisational security measures

If the organisation has less than 250 employees it is only required to maintain records of activities related to higher risk processing, such as:

  • processing personal data that could result in a risk to the rights and freedoms of individual; or
  • processing of special categories of data or criminal convictions and offences.

These records must be made available to the ICO upon request.

With the absence of Notification in GDPR, Data Controllers looked set to save some money. (Not a lot but every little helps!) In contrast, the ICO seemed set to lose a lot of money. It is currently funded partly from the annual Notification fees. Last year it collected more than 17 million pounds. So how to plug the funding gap?

Enter the Digital Economy Bill, which is currently making its way through Parliament. Amongst other things, it contains provisions which will give public authorities (including councils) more power to share personal data with each other as well as, in some cases, the private sector.

But in a good week to bury bad news (aka Brexit and the Scottish Referendum), the Government published a memo, which indicates its intention to amend the Bill to include clauses giving Ministers the power to introduce regulations setting out new charges to be levied by the ICO on Data Controllers (See Para 45 – 53 entitled: Power to make regulations about charges payable to the Information Commissioner).

Note in particular paragraph 49 and 50 of the memo:

“49. The fees regulations may include provision for a free-standing charge – that is, where the charge does not relate to any service provided by the Information Commission to the data controller. They may also make provision about the times or periods within which a charge must be paid; and may make provision for different charges to be payable in different cases (including no charge or a discounted charge).

“50.The clause also confers a related power for the Secretary of State by regulations to require a data controller to provide information to the Information Commissioner, or to enable the Commissioner to require a data controller to provide information, for the purposes of determining whether a charge is payable and the amount of any such charge.”

This development should not surprise Data Controllers. A few years ago “the Justice Committee found changes to EU data protection laws could leave the taxpayer with a multi-million pound bill if the government does not find a new way to finance the Commissioner.” “Spreadsheet Phil” has enough on his hands without having to worry about filling the ICO funding gap with government money! What is to be seen is what the new charges will be and whether they will impose a further financial burden on Data Controllers when they will already be spending substantial resources implementing GDPR.

Ibrahim Hasan is a solicitor and director of Act Now Training. This article first appeared on the Act Now Blog.

Want to know more about GDPR?  Attend Act Now's full day GDPR workshop.  

GDPR Practitioner Certificate (GDPR.Cert) – A 4 day certificated course aimed at those undertaking the role of Data Protection Officer under GDPR whether in the public or the private sector.