Organisations face fines of up to £4,350 for failure to pay the new fees, which came into force this year to fund the GDPR’s broad regulatory approach
The Information Commissioner’s Office (ICO) has issued fines against organisations in the business services, construction and finance sectors for not paying a new data protection fee that came into force alongside new data protection laws in May.
The annual fee is, in the case of the smallest organisations, comparable to the £35 per year paid before the new regulations, but is up to £2,900 for those who employ more staff or have a larger turnover.
Organisations who process individuals’ data are required to pay the fee, which funds the ICO’s activities. Large organisations are charged more because they are likely to process more data.
More fines on the way
The ICO didn’t name any of the organisations fined so far, but said it has issued a first tranche of 100 fine notices.
“More fines are set to follow,” the ICO said, adding that it has issued more than 900 notices of intent to fine since September.
Fines range from £400 to £4,000, or £4,350 if “aggravating factors” are present, and the funds thus recovered go not to the ICO, but to the Treasury.
“Following numerous attempts to collect the fees via our robust collection process, we are now left with no option but to issue fines to these organisations,” said ICO deputy chief executive Paul Arnold. “They must now pay these fines within 28 days or risk further legal action.”
With much broader data protection laws in place since May, the ICO now employs 670 staff.
Companies that process or hold individuals’ personal data have until now been largely self-regulating, with governments unwilling to pass oversight laws that might stall the growth of, for instance, high-tech or social media firms.
Facebook, for example, has since launch been notorious for its aggressive approach to collecting and making use of data on its billions of users.
But data protection issues have come to a head over the past year over Facebook’s Cambridge Analytica scandal and others exposed the use of online data in political campaigns, including, in the UK, the most recent General Election and the campaign to leave the EU.
At the same time, the EU’s General Data Protection Regulation (GDPR), which was proposed back in 2012, finally came into force in May.
The ICO issued the UK’s first GDPR notice in September.
The agency’s other recent actions include a £385,000 fine against ride-hailing app firm Uber for a data breach in which the ICO said the US company had displayed a “complete disregard” for those whose data had been stolen by hackers.