As readers will no doubt be aware, a new data protection regime comes into force on 25 May 2018 through the General Data Protection Regulation (the GDPR).
Under existing data protection laws, data controllers (including trustees of occupational pension schemes) are required to register with the Information Commissioner’s Office (the ICO) and pay a registration fee. The fee is used to fund the ICO’s work.
Under the GDPR there will no longer be a requirement for controllers to register with the ICO but most controllers will still be required to pay a revised annual fee. To assist controllers in understanding the new fees regime, the ICO has recently published guidance on this area.
How much is the new data protection fee?
Under the current regime, controllers are required to pay a registration fee of either £35 or £500 depending on their annual turnover and number of staff.
From 25 May 2018, there will instead be three different tiers of fee (£40, £60 or £2,900). As with the current regime, the different tiers will be based on the controller’s annual turnover and number of members of staff (with tier 1 controllers having a maximum annual turnover of £632,000 or no more than 10 members of staff; tier 2 a maximum annual turnover of £36 million or no more than 250 members of staff; and tier 3 catches anyone not in tier 1 or 2). However there are some exemptions for certain specific types of organisation, and small self-administered pension schemes will always fall within tier 1.
Trustees of most occupational pension schemes are therefore likely to fall within tier 1 of the banding, meaning only a small increase in the fee currently paid. The ICO has, however, confirmed that controllers who are currently registered with the ICO will have their tier decided for them based on the information the ICO already holds, unless the ICO is provided with updated information.
Paying the new data protection fee
Controllers who are currently registered under existing data protection laws will not have to pay the new fee until their existing registration has expired (which will be 12 months from the date of registration). The ICO will write to the trustees prior to this date confirming the level of fee payable and how this can be paid (likely to be by direct debit or debit card via the ICO’s website). Trustees whose registration has recently expired where for some reason the registration was not renewed will need to inform the ICO of the level of fee they believe should be payable otherwise a tier 3 fee will be assigned or renew before 25th May to stay on the old fee structure for the first 12 months.
