The Information Commissioner’s Office (ICO) has published a 77-page introduction to the Data Protection Bill, to help businesses navigate their way around the Bill and focus on the areas that are most relevant to them. Assuming it receives Royal Assent and becomes the Data Protection Act 2018, the Bill is expected to come into force on 25 May 2018, i.e. on the same date as the EU General Data Protection Regulation (GDPR). The two pieces of legislation will then work alongside each other in place of the current Data Protection Act 1998, which is to be repealed. The GDPR gives EU member states limited opportunities to make provisions for how it applies in their country. One element of the Bill is the details of these. The Bill is currently progressing through Parliament and is currently at Committee Stage in the House of Commons. The ICO intends to produce further detailed guidance on the Bill once it has been enacted.
In addition, the government has announced a new charging structure for data controllers to ensure the continued funding of the ICO. The draft Data Protection (Charges and Information) Regulations 2018 have been laid before Parliament and are also expected to come into force on 25 May 2018 in line with the GDPR. Until then, businesses are legally required to pay the current notification fee, unless they are exempt. When the GDPR comes into effect, it will remove the requirement for data controllers to pay the ICO a fee, but the new charging structure has been proposed by the government to ensure that the ICO remains adequately funded. The draft regulations, which will replace the Data Protection (Notification and Notification Fees) Regulations 2000:
- set out when data controllers will be required to provide information to the ICO and pay a charge associated with the processing of personal data
- require the payment of an annual charge to the ICO unless all processing undertaken by the data controller is exempt
- confirm that there will be three tiers of charge, i.e. £40, £60 and £2,900, depending on the data controller’s turnover, number of staff and organisation type.
For very small organisations, the fee won’t be any higher than the £35 they currently pay, if they take advantage of a £5 reduction for paying by direct debit. Larger organisations will be required to pay £2,900. The fee is higher because these organisations are likely to hold and process the largest volumes of personal data, and therefore represent a greater level of risk. There will continue to be financial penalties for not paying fees, but these will be in the form of civil monetary penalties rather than a criminal sanction.
To help data controllers understand why there is to be a new funding model and what they will be required to pay from 25 May 2018, the ICO has produced a new guide to the data protection fee. The guide also outlines the ICO’s intention to publish an online exemption assessment tool before 25 May 2018.