First fines issued to organisations for non-payment of data protection fee

The Information Commissioner’s Office has issued the first fines for not paying the data protection fee to organisations across a range of sectors including business services, construction, finance, health and childcare. The ICO has issued over 900 notices of intent to fine since September and more are expected to follow. Fines range between £400 to £4,350 and are dependent on organisation size and turnover.

Make sure your registration is up to date (Note: if your previous registration under Data Protection Act 1998 is still in date you do not need to pay the new fee until it expires).  Here is a quick guide to your data protection registration and record-keeping obligations.

Registration under current legislation

GDPR removed the obligation on organisations to register with the ICO while adding in the need to keep full and accurate records of personal data processing in the shape of Article 30:

1 Each controller shall maintain a record of processing activities under its responsibility. That record shall contain all of the following information:

(a) the name and contact details of the controller and, where applicable, the joint controller, and the data protection officer;

(b) the purposes of the processing;

(c) a description of the categories of data subjects and of the categories of personal data;

(d) the categories of recipients to whom the personal data have been or will be disclosed including recipients in third countries or international organisations;

(e) where applicable, transfers of personal data to a third country or an international organisation, including the identification of that third country or international organisation and, in the case of transfers referred to in the second subparagraph of Article 49(1), the documentation of appropriate safeguards;

(f) where possible, the envisaged time limits for erasure of the different categories of data;

(g) where possible, a general description of the technical and organisational security measures referred to in Article 32(1). “32(1)” insert “or section 28(3) of the 2018 Act”;

In the UK, the requirement for organisations to register was reinstated in the Data Protection (Charges and Information) Regulations 2018 which require every organisation or sole trader who processes personal information to pay a data protection fee to the ICO, unless they are exempt.  The only exceptions to this are organisations who do not process personal data, or who process it as a one-off, ad-hoc event. There are some very limited exceptions for non for profit organisations and micro businesses but only where their processing of personal data is minimal.

Anyone in doubt about whether or not to register can find out for sure by visiting the ICO web-site where there is a helpful tool which will indicate whether or not they need to register.

Record keeping under GDPR

Before GDPR Article 30 some record-keeping on personal data was already required for organisations to provide the Information Commissioner’s Office with information as part of the registration process.

Duty to maintain records of the organisation’s personal data processing activities

These records should include details about: data subjects, categories of data, categories of special category data, the purposes of the processing, the sources of the data, the identity of any third parties the data is shared with, whether any data processing is outsourced to third parties, the data retention period, whether the data is subject to any automated decision making and whether the data is transferred to countries outside the EEA.

We have found in practice that these records are best created with direct input from the managers of those departments which process personal data.  We refer to the records as an Information Asset Register and it is an essential compliance tool as it highlights data retention, data sharing and data processing (outsourcing), international transfers and other activities which give rise to further compliance issues.

The exercise of creating the records and then reviewing them also provides an opportunity to question some of the underlying practices around data collection, use and retention.  In practice we have found it provides an invaluable chance to upskill managers.

Reviews of Article 30 records should be documented to meet the evidential aspect of Accountability