There are many reasons why an organisation may want to implement an effective Information Security Management System (ISMS), and the vast majority choose to proceed to have this independently assessed for ISO 27001 certification to give their stakeholders, customers and employees confidence in their approach....
Fees for data controllers under GDPR
This blog has been updated. It was originally published 4th April 2018.
Since GDPR (General Data Protection Regulation) was introduced in May 2018, we’ve seen the removal of the annual registration cost; which was previously paid to the Information Commissioner’s Office for registration under the UK Data Protection Act of 1998.
It’s no secret that Data Controllers need to maintain their own records of data processing (as per Article 30). If you are classified as a Data Controller under GDPR (an organisation or sole trader that processes personal data), you still need to register with the ICO (Information Commissioner’s Office).
If you’re not sure whether you needed to register or not, you can do so by using ICO’s Registration self-assessment tool.
The cost of registering as a data controller
Organisations that process personal data are being charged a fee dependent upon which of three tiers they fall within:
- Tier 1 is for “micro organisations” – including those with an annual turnover of less than £632,000, 10 members of staff
- Tier 1 also includes charities and small occupational pension schemes, regardless of size or turnover
- Tier 2 is for “SME organisations” – including with a turnover of no more than £36 million, or no more than 250 personnel
- Tier 3 is for “large organisations” (all other organisations)
The fee categories associated with each of these tiers is as follows (a £5 discount will apply for direct debit payments):
- Tier 1 – £40
- Tier 2 – £60
- Tier 3 – £2,900
Public authorities will be charged in accordance with their number of personnel and not their annual turnover.
Some exemptions to the new fee schedule applies if one or more of the following situations applies:
- Personal and family data processing
- Employee administration
- Accounts and records
- Judicial functions
- Not-for-profit activities
- Advertising, marketing and public relations
- Maintaining a public register
- Personal data processing not undertaken on an electronic device
To find out more, review this detailed ICO guidance on GDPR fees, which will help you to prepare and budget accordingly.