The government has proposed increasing the maximum fees organizations will have to pay data protection watchdog the Information Commissioner’s Office (ICO) as it looks to ramp up its activity to regulate the forthcoming GDPR.
Currently, data controllers are legally required to register with and pay the ICO either £35 or £500 annually depending on their revenue and number of employees.
However, the government is proposing to shift this to a new three-tiered funding model which will take effect when the GDPR lands on May 25.
“The government, which has a statutory duty to ensure the ICO is adequately funded, has proposed the new funding structure based on the relative risk to the data that an organization processes,” the ICO explained. “The model is divided into three tiers and is based on a number of factors including size, turnover and whether an organization is a public authority or charity.”
Micro-organizations of fewer than 10 staff or maximum turnover of £632,000 will be charged £40 — or £35 if they pay by direct debit, making the costs unchanged from the current fees.
However, Tier 2 organizations — SMEs with maximum turnover of £36m or no more than 250 members of staff — will need to pay a £60 fee.
The biggest increase comes for Tier 3 data controllers, large organizations which must fork out £2900 — potentially a £2400 increase on what they currently pay.
“The fee is higher because these organizations are likely to hold and process the largest volumes of data, and therefore represent a greater level of risk,” the ICO claimed.
Charities will be designated as Tier 1 organizations regardless of size or turnover, whilst public authorities can classify according to staff numbers, not turnover, the ICO said in an accompanying guide.
The changes come as the ICO’s already stretched resources are expected to come under even greater pressure with the introduction of the new privacy regulation from Brussels. The government claimed its "income requirements" would increase from around £19m in 2016/17 to £33m in 2020/21.