As readers will no doubt be aware, a new data protection regime comes into force on 25 May 2018 through the General Data Protection Regulation (the GDPR).
Under existing data protection laws, data controllers (including trustees of occupational pension schemes) are required to register with the Information Commissioner’s Office (the ICO) and pay a registration fee. The fee is used to fund the ICO’s work.
Under the GDPR there will no longer be a requirement for controllers to register with the ICO but most controllers will still be required to pay a revised annual fee. To assist controllers in understanding the new fees regime, the ICO has recently published guidance[i] on this area.
How much is the new data protection fee?
Under the current regime, controllers are required to pay a registration fee of either £35 or £500 depending on their annual turnover and number of staff.
From 25 May 2018, there will instead be three different tiers of fee (£40, £60 or £2,900). As with the current regime, the different tiers will be based on the controller’s annual turnover and number of members of staff (with tier 1 controllers having a maximum annual turnover of £632,000 or no more than 10 members of staff; tier 2 a maximum annual turnover of £36 million or no more than 250 members of staff; and tier 3 catches anyone not in tier 1 or 2). However there are some exemptions for certain specific types of organisation, and small self-administered pension schemes will always fall within tier 1.
Trustees of most occupational pension schemes are therefore likely to fall within tier 1 of the banding, meaning only a small increase in the fee currently paid. The ICO has, however, confirmed that controllers who are currently registered with the ICO will have their tier decided for them based on the information the ICO already holds, unless the ICO is provided with updated information.
Paying the new data protection fee
Controllers who are currently registered under existing data protection laws will not have to pay the new fee until their existing registration has expired (which will be 12 months from the date of registration). The ICO will write to the trustees prior to this date confirming the level of fee payable and how this can be paid (likely to be by direct debit or debit card via the ICO’s website). Trustees whose registration has recently expired where for some reason the registration was not renewed will need to inform the ICO of the level of fee they believe should be payable otherwise a tier 3 fee will be assigned or renew before 25th May to stay on the old fee structure for the first 12 months.
Where a controller has not paid the fee and should have paid a fee (or does not pay the correct fee), the ICO has the power to issue a fine of up to £4,350 (equating to 150% of the top tier fee).
Trustees who are already registered with the ICO should await correspondence confirming the level of fee payable. If trustees disagree with the tier given, they can make representations to the ICO. Trustees whose registration has recently expired or who are paying for the first time will need to contact the ICO directly to agree the level of fee payable. However small self-administered pension schemes will only be liable to pay the tier 1 fee, and most other occupational schemes are also likely to fall within tier 1.
[i] The guidance remains in draft form until the Data Protection (Charges and Information) Regulations 2018 come into force
This blog post was written by Paul Wild. For further information, please contact:
Michael Collins, partner, Pensions
T: 0121 234 0236