Up until now, registering with the ICO has been a no-brainer. It’s one of the questions that gets asked on the sale of the business. The buyer’s lawyer says “Have you had any data breaches? Have you registered with the ICO?” For most SMBs, it was a £35 hit to make them more compliant. Of course, registration alone is not enough to ensure you’re compliant. And there is now a greater emphasis on compliance because of the forthcoming GDPR. But at least it gets the business thinking about compliance. This fee is currently slightly higher, £500, for public sector bodies or larger businesses with a turnover >£25.9m and more than 249 staff.
This is changing under GDPR. The ICO has published its draft charges from May and for larger businesses, this will be a large hike:
Tier 1 £40 for micro organisations. Annual turnover up to £632,000 or no more than 10 members of staff
Tier 2 £60 for small & medium organisations. Annual turnover up to £36m or no more than 250 members of staff
Tier 3 £2,900 for large organisations
The ICO points out: “You don’t need to pay a fee if you are processing personal data only for one (or more) of the following purposes: staff administration; advertising, marketing and public relations; accounts and records; not-for-profit purposes; personal, family or household affairs; maintaining a public register; judicial functions; processing personal information without an automated system such as a computer”.
This is coupled with the increase in fines for data breaches of up to 4% of global turnover or €20m, whichever is higher.
The business of data protection is about to become more expensive.