ICO Fines Businesses Over Failure To Pay New Data Protection Fees

The Information Commissioner’s Office (ICO) has issued fines against organisations in the business services, construction and finance sectors for not paying a new data protection fee that came into force alongside new data protection laws in May.

The annual fee is, in the case of the smallest organisations, comparable to the £35 per year paid before the new regulations, but is up to £2,900 for those who employ more staff or have a larger turnover.

Organisations who process individuals’ data are required to pay the fee, which funds the ICO’s activities.  Large organisations are charged more because they are likely to process more data.


More fines on the way

The ICO didn’t name any of the organisations fined so far, but said it has issued a first tranche of 100 fine notices.

“More fines are set to follow,” the ICO said, adding that it has issued more than 900 notices of intent to fine since September.

Fines range from £400 to £4,000, or £4,350 if “aggravating factors” are present, and the funds thus recovered go not to the ICO, but to the Treasury.

“Following numerous attempts to collect the fees via our robust collection process, we are now left with no option but to issue fines to these organisations,” said ICO deputy chief executive Paul Arnold. “They must now pay these fines within 28 days or risk further legal action.”

With much broader data protection laws in place since May, the ICO now employs 670 staff.

Companies that process or hold individuals’ personal data have until now been largely self-regulating, with governments unwilling to pass oversight laws that might stall the growth of, for instance, high-tech or social media firms.

Data scandals

Facebook, for example, has since launch been notorious for its aggressive approach to collecting and making use of data on its billions of users.

But data protection issues have come to a head over the past year over Facebook’s Cambridge Analytica scandal and others exposed the use of online data in political campaigns, including, in the UK, the most recent General Election and the campaign to leave the EU.

At the same time, the EU’s General Data Protection Regulation (GDPR), which was proposed back in 2012, finally came into force in May.

The ICO issued the UK’s first GDPR notice in September.

The agency’s other recent actions include a £385,000 fine against ride-hailing app firm Uber for a data breach in which the ICO said the US company had displayed a “complete disregard” for those whose data had been stolen by hackers.

Matthew Broersma

Matt Broersma is a long standing tech freelance, who has worked for Ziff-Davis, ZDnet and other leading publications

Recent Posts

Italian Regulator Recalculates Apple, Amazon Fines

Italian regulator admits it has redetermined the fines against Apple and Amazon, over the sale…

10 hours ago

Red Cross ‘Appalled’ As Hackers Steal Humanitarian Data Of 515,000 People

A new low. International Committee of the Red Cross shuts down reunification system, after hackers…

13 hours ago

Russia Proposes Ban On Cryptocurrencies, Crypto Mining

Russia's central bank has this week proposed the banning on the use and mining of…

14 hours ago

Apple Working To Patch Safari Data Leak Vulnerability

Oh dear, not so private. Webkit browser engine flaw has been leaking user ID and…

16 hours ago

EU Chief Confirms Chip Law Proposal For Early February

Chip shortage solution? European Commission boss says the European Chips Act legislation will be proposed…

17 hours ago