The fees for businesses wanting to process customer data under the forthcoming General Data Protection Regulation (GDPR) have been published.
Under the regulations coming into force on May 25, organisations must pay the Information Commissioner’s Office a data protection fee.
There are three different tiers of fee and charges are between £40 and £2,900.
The fees are set to "reflect what Parliament believes is appropriate based on the risks posed by the processing of personal data by controllers", said the ICO.
There are three payment tiers.
The tier a business falls into depends on:
- how many members of staff it has
- its annual turnover
- whether it's a public authority
- whether it's are a charity
- whether the business has a small occupational pension scheme.
Tier 1 – micro organisations
A business has a maximum turnover of £632,000 for your financial year or
no more than 10 members of staff. The fee for tier 1 is £40.
Tier 2 – small and medium organisations
A business has a maximum turnover of £36 million for your financial year or no more than 250 members of staff. The fee for tier 2 is £60.
Tier 3 – large organisations
If the business does not meet the criteria for tier 1 or tier 2, you have to pay the tier 3 fee of £2,900.
Members of staff
The ICO says ‘members of staff’ is defined to include all your employees, workers, office holders and partners.
Members of staff is the average number working for you during your financial year.
Each part-time staff member is counted as one member of staff.
So a business:
- work out, for each completed month of your financial year, the total number who were members of staff in that month
- add together the monthly totals
- divide it by the number of months in your financial year.
It doesn’t matter if your members of staff are based in the UK, overseas or a mixture of both, they all count.
The fees fund data protection work.
READ MORE: The ICO's data processing fees (pdf)