In September we reported that the Information Commissioner's Office (ICO) had served its first notices of intent to issue monetary penalty notices to certain data controllers, for failure to pay the new statutory data protection fee. The ICO has today (28 November) announced the outcome of the process, with news that organisations "across the business services, construction and finance sectors" have now been served with penalties. However, they have not announced either the identities of the controllers, nor the amounts of the penalties served.
Regulations (The Data Protection (Charges and Information) Regulations 2018), made under sections 137 and 138 of the Data Protection Act 2018 (DPA), provide for a domestic scheme under which data controllers must pay a "fee" to the ICO, unless they can avail themselves of an exemption. Under a three-tier system, payment of a fee of £40, £60 or £2,900 (depending upon the size of the data controller) is mandatory, unless an exemption applies. Failure to pay exposes a data controller to the risk of a civil monetary penalty (levied by the ICO) of up to £4,350.
Regarding their decision not to name the organisations, the ICO has informed Mishcon de Reya that: “We are not naming the organisations who we are sending the monetary penalty notices to at this stage as it is about raising awareness that organisations need to pay their data protection fee - unless they are exempt - that the law has changed and they could face a fine.”
The ICO's announcement states that the penalties follow "numerous attempts to collect the fees via our robust collection process". This seems to suggest that organisations who are otherwise responsible when it comes to data protection compliance, but who might have failed initially to pay the fee, should have little to fear (as long as they pay up as soon as possible). However, it is now clear that ICO will not be shy to issue penalties to those who willfully or negligently fail to pay, despite reminders.