Under the current Data Protection Act (DPA), organisations that process personal information are required to notify the ICO as data controllers (unless an exemption applies). This involves explaining what personal data they collect, and what they do with it. Organisations also have to pay the ICO a notification fee, based on their size, of either £35 or £500.
When the GDPR comes into effect next year, there will no longer be a requirement to notify the ICO in the same way. There will still be, however, a legal requirement for data controllers to pay the ICO a data protection fee.
The new fees are expected to reflect the risk of data processing across various businesses, varying from large to small. The size of the fee will still be based on an organisation’s size and turnover. It will also consider the amount of personal data it’s processing.
Further guidance on how the new fee system will work should be available at the end of this calendar year.
For more information, please contact Nia Cooper.
To read the rest of this month's updates, please click here.