The draft Data Protection (Charges and Information)
Regulations 2018 have been published. They are available as a pdf on the
legislation website here. As you
might expect, they aim to come into force on 25 May 2018.
The draft is subject to Parliamentary approval but,
especially given the limited time available, they are unlikely to change.
As regards fees, the draft bears little relation to the pre-consultation figures (set out here).
The first 21 days of GDPR threaten to bring an avalanche of
information to the ICO door as those data controllers who did not pay a fee under
the old regime are required to send information and a fee within that period.
Regulation 3 makes provision for the amount of a charge to
be paid by a data controller to the Information Commissioner in respect of each
charge period. Three tiers of charge are prescribed, in the amounts of £40, £60
and £2900 according to criteria relating to a data controller’s turnover and
number of members of staff (or only members of staff, for a public authority).
Specific provision is made for charities and small occupational pension schemes
and the charge is reduced if a data controller pays the charge by direct debit.
The descriptions of exempt processing are set out in
paragraph 2 of the Schedule to the Regulations and cover non-automated
processing; processing undertaken for the purposes of personal, family or
household affairs; processing for the purpose of the maintenance of a public
register; processing for the purposes of operations involving staff
administration; processing for the purposes of advertising, marketing and
public relations in respect of the data controller’s own activities; processing
for the purposes of accounts, record keeping and the making of financial
forecasts; processing carried out by non profit-making organisations for
certain purposes; and processing for the purposes of exercising judicial
functions.