The Information Commissioner’s Office (ICO) has announced that it intends to write “to all registered companies in the UK reminding them of their legal responsibility to pay a data protection fee” (the fee in question being one mandated for some data controllers under secondary legislation).
This is remarkable for a number of reasons.
Firstly, there are approximately 4.2 million limited companies registered in the UK. By any standards an exercise to write to all of those will surely be a hugely costly and time-consuming exercise (the ICO has clarified to this firm that the communications will be by post).
Secondly, the ICO appears to imply that all registered companies should pay a data protection fee. Many of the companies registered at Companies House are, for instance, dormant, or will be able to avail themselves of an exemption, for instance where the processing is solely for the purposes of keeping accounts, or records of purchases, sales or other transactions; deciding whether to accept any person as a customer or supplier; or making financial or financial management forecasts (the exemptions are contained in the Schedule to the Regulations). Oddly, though, the ICO's blogpost says "if you hold personal information for business purposes on any electronic device…it is likely an annual fee payment is due". The basis for this assertion is not immediately apparent and, if it were true, many of the exemptions would appear to be pointless or only available in exceptional circumstances.
Thirdly, and for reasons related to the first two observations, the news is remarkable because it has the potential to result in a great deal of concern for many owners and officers of small companies which may never have had any reason to pay a fee to (or, under the prior law, register their processing with) the ICO. Failure to pay the fee in circumstances where no exemption applies can attract a monetary penalty of up to £4350. In light of all this, it might not be surprising if some controllers took the decision simply to pay the fee without being certain whether they need to pay or not. Such controllers who receive a letter from the ICO, and who think they may not need to pay a fee, may want to query with the ICO why the latter thinks, in their specific case, they have to.