The Data Protection (Charges and Information) Regulations 2018

New legislation which governs the requirement for a company to register with the Information Commissioner’s Office (ICO), and pay the appropriate charge, has now been published. The new legislation dictates when a charge has to be paid by the data controller to the Information Commissioner. All companies which process personal data will need to register unless they are exempt.

However, many companies will not have to pay a charge if their data falls under the list of Exempt Processing. Listed below are the main exemptions that will exclude your business from the ICO charge:

…. The processing is-

(2)(d) for the purposes of matters of administration in relation to the members of staff and volunteers of, or persons working under any contract for services provided to, the data controller;

(e) for the purposes of advertising, marketing and public relations in respect of the data controller’s business, activity, goods or services;

(f) for the purposes of—

(i) keeping accounts, or records of purchases, sales or other transactions,

(ii) deciding whether to accept any person as a customer or supplier, or

(iii) making financial or financial management forecasts,

in relation to any activity carried on by the data controller;

The charge is defined on a sliding scale;

Tier 1

• Turnover less than or equal to £632,0000; or
• 10 or less staff; or
• It is a charity; or
• It is a small occupational pension scheme

= £40

Tier 2

• Not in Tier 1 and;
• Turnover of less than or equal to £36 million for the data controller’s financial year; or
• 250 or less staff

= £60

Tier 3

• Not in Tier 1 or 2

=£2,900

Aspire Comment

We recommend that all companies use the online self-assessment tool to establish if they are required to register with and pay the charge to the ICO.