The Information Commissioner’s Office (ICO) issued 340 monetary fines to organisations between July and September for failing to pay the mandatory data protection fee that all organisations that process personal information are required to pay to the information security watchdog.
In February this year, Paul Arnold, deputy chief at the ICO, issued an advisory to all small businesses operating in the UK, asking them to pay the mandatory data protection fee not only because it was lawful to do so but also to preserve their reputation as responsible data controllers.
“It’s the law to pay the fee, which funds the ICO’s work, but it also makes good business sense. Because whether or not you’ve paid the fee could have an impact on your reputation. When you’ve paid, your business is published on our register of data controllers. Members of the public and other companies check that list before they decide to do business.
“We speak to thousands of people and organisations every week and it’s clear that being on the register tells others a lot about you. It’s a strong message for your customers – it lets them know that you value and care about their information and that you’re more likely to keep it secure and not share it inappropriately.
“It also lets other organisations know that you run a tight ship and that you’re aware of your data protection obligations. It indicates that you’re more likely to take your other data protection responsibilities seriously too. It’s a reassurance for those thinking of doing business with you,” Arnold wrote.
Over 600,000 organisations are now paying the data protection fee
In a fresh blog post, Arnold said that the ICO has launched a new campaign to remind all registered UK companies to pay the data protection fee as long as they are processing personal information and are not legally exempt from paying the fee.
He said that even though over 600,000 organisations have registered to pay the data protection fee since the arrival of GDPR, the ICO issued a total of 340 monetary fines to organisations between 1 July and 30 September this year for failing to pay their respective fees.
“As well as naming most organisations we need to fine, we also publish the names of all fee-paying organisations. This helps them make it clear to their customers, clients and suppliers that they are aware of their legal obligations when processing personal information,” he said.
If organisations are processing personal information but are not paying the data protection fee, they risk being fined between £400 and £4,000 under provisions of GDPR. What this means is that fines for small businesses with modest turnover could be over ten times as much as the fee they’re required to pay.
While small businesses employing fewer than ten employees are required to pay £40 as data protection fee, small and medium businesses are required to pay £60, and only those organisations that employ over 250 people or have a turnover in excess of £36 million are required to pay a minimum £2,900 as data protection fee.
Arnold added in his blog post that if organisations sign up to pay the data protection fee by direct debit, the total amount they are required to pay will be reduced by £5. In order to help organisations register themselves, the ICO has dedicated Helpline and Live Chat services and has introduced various self-assessment tools and products on its website.