Data Protection (Charges and Information) Regulations 2018
Don’t forget the new charging structure for data controllers to ensure the continued funding of the Information Commissioner’s Office (ICO), which came into force on 25th May 2018.
It’s one of the questions eNaycH is still being asked about, so let’s take a look at the legislation.
There are three different tiers of fee and controllers are expected to pay between £40 and £2,900 depending on;
- how many members of staff you have
- your annual turnover
- whether you are a public authority
- whether you are a charity
- whether you are a small occupational pension scheme.
Tier 1 – micro organisations
If you have a maximum turnover of £632,000 for your financial year or no more than 10 members of staff. The fee for tier 1 is £40.
Tier 2 – small and medium organisations
If you have a maximum turnover of £36 million for your financial year or no more than 250 members of staff. The fee for tier 2 is £60.
Tier 3 – large organisations
If you do not meet the criteria for tier 1 or tier 2, you have to pay the tier 3 fee of £2,900.
The regulator (ICO) regards all controllers as eligible to pay a fee in tier 3 unless and until they are told otherwise.
- Staff administration
- Advertising, marketing and public relations
- For your own business
- Accounts and records
- Not-for-profit purposes
- Personal, family or household affairs
- Maintaining a public register
- Judicial functions
- Processing personal information without an automated system such as a computer
Documentation – Article 30 GDPR
Another question constantly asked by sole traders and smaller SME’s is about documentation.
Controllers and processors each have their own documentation obligations. The Data Protection Act 2018 add some exemptions:-
If you have 250 or more employees, you must document all your processing activities.
There is a limited exemption for small and medium-sized organisations. If you have fewer than 250 employees, you only need to document processing activities that:
- are not occasional; or
- could result in a risk to the rights and freedoms of individuals; or
- involve the processing of special category personal or criminal conviction and offence data.