Following the Government's Statement of Intent in August, the Data Protection Bill to update data protection laws in line with the General Data Protection Regulation (GDPR) was introduced to the House of Lords on 13 September 2017.
The Bill is still to pass through three readings and the committee and report stages in both the House of Lords and House of Commons, although it is anticipated that it will be approved in substantially the same form it is in now.
On 5 October, the Information Commissioner's Office (ICO) confirmed, as indicated by the Bill, that there will no longer be a duty on controllers to notify the ICO. However, controllers will still be obliged to pay a fee, as provided for by section 108 of the Digital Economy Act.
The amount of the fee is being considered by the Department for Digital, Culture, Media and Sport (DCMS), together with the ICO. It will be based on the size and turnover of the organisation, as it is now, and also the volume of data being processed and the associated risk. The final fees will be approved by Parliament and are expected to go live on 1 April 2018.
Controllers should continue to renew their notifications with the ICO as usual until the change. Future fees are anticipated to be due upon the next renewal date after the change.
Exemptions to the fee model are expected to remain similar to those that exist now.
The ICO will provide an update in due course, expected by the end of the year. Brabners will also be publishing further commentary on the Bill as it progresses.
...a provision in the Digital Economy Act means it will remain a legal requirement for data controllers to pay the ICO a data protection fee. These fees will be used to fund the ICO’s data protection work. The amount of the data protection fee is being developed by the ICO’s sponsoring department, the Department for Digital, Culture, Media and Sport (DCMS) in consultation with the ICO and representatives of those likely to be affected by the change. The final fees will be approved by Parliament. The new system will aim to make sure the fees are fair and reflect the relative risk of the organisation’s processing of personal data. The size of the data protection fee will still be based on the organisation’s size and turnover and will also take into account the amount of personal data it is processing...