The General Data Protection Regulation (GDPR) came into force on 25th May 2018 and relates to personal data, that is, information which can identify a living person, for example names, addresses and birth dates.
The GDPR covers the processing of personal data in two ways:
- Personal data processed wholly or partly by automated means (that is, information in electronic form).
- Personal data processed in a non-automated manner which forms part of, or is intended to form part of, a ‘filing system’ (that is, manual information in a filing system).
It also identifies certain types of information which require extra protection such as medical information, religious beliefs and race. For the first time, genetic data and some biometric data is included, for example, fingerprints and facial images.
This ‘special category’ data is broadly similar to the concept of sensitive personal data under the previous data protection laws – Data Protection Act 1998. The requirement to identify a specific condition for processing this type of data is also very similar.
Alongside the new laws brought into place, there were some changes to how organisations register with the ICO and the data protection fee. The law says that every organisation or sole trader that processes personal information must pay a fee unless they’re exempt.
The ICO is the regulator responsible for upholding data protection law in the UK. It offers advice and guidance, promotes good practice, monitors breach reports, conducts audits and advisory visits, considers complaints, monitors compliance and takes enforcement action where appropriate. The data protection fee directly funds its work, providing advice and guidance to organisations across all sectors about how to comply with the GDPR.
It produces a wealth of online resources, including guidance for smaller businesses and who may need more support in meeting the requirements of data protection law.
The ICO also provides a small organisation helpline, live chat service and digital toolkits.
The ICO has identified a number of sectors where it wants to increase awareness and compliance with payment of the fee, including the care sector.
Faye Spencer, Head of Customer Contact at the ICO said, ‘We want to make sure operators in the sector know what the fee is and why they need to pay it and we are here to help them with that. It’s a straightforward process and the annual fee can be as little as £35 for smaller operators.
‘However, we now have the power to issue penalties for non-payment and we have stepped up action against those that continue to flout the law. We have issued fines ranging from £400 to £4,350.’
In the first quarter of 2019-20, the ICO issued 56 fines to the social care sector. These fines go directly to the Treasury, not the ICO.
Faye Spencer says, ‘We are a fair and proportionate regulator and fines are a last resort, we prefer to educate rather than enforce. Those who haven’t paid or renewed their fee have the opportunity to put things in order and pay before we take action but we will use our powers if necessary.’
The ICO is also writing to all care homes in the UK that aren’t currently registered with them to remind them of their obligation to pay the fee.
Protecting your reputation
Aside from it being a legal obligation, there are also reputational benefits to paying the fee. When an organisation pays, its details are published on the public register of data controllers. Members of the public and other companies do check the register. It gives an indication about how seriously an organisation takes its data protection obligations. For care providers, it can make a good impression with those they care for and their families because, on a practical level, data protection is also about building trust between people and organisations.
As part of its drive to raise awareness in the sector, the ICO attended the Residential and Care Home show earlier this year to provide information and speak directly to operators.
Faye said, ‘It was a great opportunity to hear directly from those working in the sector. It was also an opportunity to answer questions on a broad range of data protection topics with subject access requests – requests from people for personal data held by operators – and the retention of personal information among the most frequently asked.’
The GDPR says that people have the right to find out what information organisations hold about them and to request copies of that information. This is known as a subject access request. Organisations can no longer make a charge for doing this.
The retention of personal information or ‘storage limitation’ as it is referred to in the legislation, has not changed significantly under the GDPR. It does not specify a time limit but says that you must not keep personal data for longer than you need it for the purposes for which you originally collected it.
The ICO is there to support care homes with their data protection obligations through its extensive online guidance including on how to pay the fee. If you are unsure about whether you need to pay the data protection fee, there is an online self-assessment which is quick and easy to complete.
Your data protection fee depends on the size of your organisation or turnover. There are three different tiers of fees controllers are expected to pay – £40, £60 or £2,900. The payment is always VAT nil. For most organisations, the cost will be £40 or £60. There is also a £5 discount for anyone who pays by direct debit.
The tier your organisation falls into depends on a number of things including how many members of staff you have and your annual turnover.
- Tier 1 – micro organisations
You have a maximum turnover of £632,000 for your financial year or no more than 10 members of staff. The fee for tier 1 is £40.
- Tier 2 – small and medium organisations
You have a maximum turnover of £36m for your financial year or no more than 250 members of staff. The fee for tier 2 is £60.
- Tier 3 – large organisations
If you do not meet the criteria for tier 1 or tier 2, you have to pay the tier 3 fee of £2,900.
You can use our fee-assessment tool to find out exactly how much you will need to pay.
There are some common misconceptions about what providers need to do and the ways in which they can do it. It is easy to pay the registration fee online, following a straight-forward process which takes about 15 minutes. For businesses that operate a number of care homes, there can be some confusion about whether a fee needs to be paid for each care home. In this case, the easiest thing to do is to contact the data protection fee helpline for tailored advice.
Typically, separate fees must be paid for each company individually if it is a data controller.
There are some private companies who offer to complete the data protection fee payment on behalf of your organisation, often charging more than the standard cost. Be aware that these agencies have no official standing or powers under data protection law, and there is no connection between them and the ICO; we would always recommend that you pay the ICO directly.
Once you have paid the fee, you can access a range of online practical advice and guidance you might find useful.
Paying a penalty
Part of the ICO’s role is to take action to ensure organisations meet their information rights obligations.
You need to renew your data protection fee each year, or tell the ICO if your registration is no longer required. If you fail to do so, the ICO can issue a monetary penalty of up to £4,350 on top of the fee you are required to pay. CMM
Faye Spencer is Head of Customer Contact at the Information Commissioner’s Office (ICO). Email: email@example.com
The ICO provides more detailed guidance on their website. You can also contact the data protection fees helpline on 0303 123 1113 to discuss how the ICO can help
What areas of GDPR are you unsure about? Share your questions and experiences in the comments section below.