UK organisations are required to pay the Information Commissioner’s Office (ICO) an annual data protection fee unless they are exempt. The fee payable depends on the tier of the organisation, and ranges from £40 to £2,900.
Companies could also be fined a massive £4,350 if “aggravating factors” are present, and the funds thus recovered go not to the ICO, but to the Treasury.
Organisations who process individuals’ data are required to pay the fee, which funds the ICO’s activities. Large organisations are charged more because they are likely to process more data.
The ICO has so far issued a penalty notice to more than 100 organisations for failing to pay their data protection fee. which came into force this year to fund the GDPR’s broad regulatory approach.
Companies making excuses for failing to pay this fee may not be accepted by the ICO as a reason why they didn’t pay the fee.
This was more than evident recently when the luxury paint and wallpaper company Farrow & Ball Limited was issued with a £4,000 penalty for its failure to pay the £2,900 data protection fee required of a tier 3 organisation.
Farrow & Ball appealed this penalty notice at the First Tier Tribunal in March this year on the basis that its failure to pay was an innocent mistake, as:
- the ICO’s reminder was sent when the relevant individual was on holiday;
- the reminder was not identified as important internally;
- Farrow & Ball contacted the ICO promptly once the failure was identified and paid the fee immediately; and
- Farrow & Ball has put procedures in place to ensure it will not happen again.
However, in its first ruling of an appeal against such a notice, the Tribunal held that Farrow & Ball did not have a reasonable excuse for non-compliance as a “reasonable controller” would have systems in place to comply with the 2018 Regulations and there was no particular difficulty or misfortune which explained Farrow & Ball’s departure from the expected standards of a “reasonable controller”.
There was no evidence of financial hardship or other reason for the ICO’s discretion to be exercised differently. The penalty notice was therefore upheld.
Subject to any further appeal by Farrow & Ball, it is likely that a similar approach will be taken by the Tribunal in any appeals brought in future.
Paul Arnold, ICO Deputy Chief Executive Officer/Executive Officer said
“Last year we began for non-payment of the data protection fee, sending out a clear message that those who didn’t pay risked a fine.
“We stepped that up earlier this year when we began identifying organisations which had been issued with a fine, as well trend reports to show which sectors had been issued with fines.
“The recent dismissal of the first appeal of a fine for non-payment of the fee by Farrow and Ball sends a further message, loud and clear, that there is no excuse for non-payment.”
Data protection law expert Kathryn Wynn of Pinsent Masons, the law firm behind Out-Law.com, said “Altogether, the ICO’s announcements and enforcement action amount to a concerted campaign and it demonstrates its willingness to clamp down on companies that fail to pay the data protection fee.
“Businesses that have not yet done so should examine whether they are eligible for an exemption from the fee and, if not, complete the process of payment promptly.”