The ICO has stepped up its campaign to take action against organisations who have not paid their data protection fee by naming and shaming offenders on their website. The following case also highlights the fact that there is no excuse for non-payment of the data protection fee.
Paint and wallpaper company, Farrow and Ball, recently lost its appeal against a fine issued by the Information Commissioners Office (ICO) for non-payment of the annual data protection fee. The company had not disputed the fact that it had an obligation to pay a fee, but rather that the £4,000 monetary penalty should be reduced or not imposed at all, on a number of grounds, including that the reminder to pay letter from the ICO arrived when the person responsible was on holiday.
The first-tier tribunal accepted that although the non-payment was an oversight the company should have had measures in place to prevent this happening.
The ICO said data controllers are given adequate opportunity to pay the fee to the ICO before they are issued with a fine. Being on holiday is no excuse.
Since 2018 organisations that determine the purpose for which personal data is processed (controllers) must pay a data protection fee unless they are exempt. The new data protection fee replaces the requirement to ‘notify’ (or register), which was the case before GDPR.
There are three different tiers of fee, set by Parliament, and controllers are expected to pay between £40 and £2,900.
Tier 1 – micro organisations
You have a maximum turnover of £632,000 for your financial year or no more than 10 members of staff. The fee for tier 1 is £40.
Tier 2 – small and medium organisations
You have a maximum turnover of £36 million for your financial year or no more than 250 members of staff. The fee for tier 2 is £60.
Tier 3 – large organisations
If you do not meet the criteria for tier 1 or tier 2 , you have to pay the tier 3 fee of £2,900.
The ICO now ‘name and shame’ a list of organisations who have been issued with a monetary penalty for non-payment of their data protection fee by publishing their names on their website (except for sole traders or partnerships for privacy reasons).
In total, 85 organisations have been issued with a £400 penalty notice, 2 organisations have been issued with £600 penalty notices while 16 organisations have been issued with a £4,000 penalty notice.
Figures from the ICO website show that Finance and Pensions tops monetary penalties by sector list with 18 penalties. Health have 10, Software Development have 4, Legal have 2 and Council/Local Government have 1.
Avoid unnecessary penalties and reputational damage – pay your fee!