The Information Commissioner's Office (ICO) has sent dozens of warning letters to organisations for failing to pay data protection fees under a new regime, including the NHS and public sector bodies.
Before the new fees structure came into force on 25 May, which coincided with the General Data Protection Regulation (GDPR), organisations had to pay either a 35 fee or a 500 fee depending on size and turnover.
But a host of organisations have been reprimanded for failing to adhere to the new structure, set by the government, which sees fees split into three tiers. These are a 40 fee for micro-organisations, 60 for SMBs with a maximum annual turnover of 3.6 million, and 2,900 for the largest organisations.
The UK's data protection regulator sent official warning letters to 34 organisations earlier this month for failing to pay their data protection fees, with more notices in the drafting stage and due to be sent out soon.
Organisations under scrutiny which include NHS Trusts, governmental organisations, and unnamed accounting, recruitment and finance firms have 21 days to respond. Failure to pay within this period could see fines of between 400 and 4000 levied, with aggravating factors raising the ceiling to 4,350.
"We expect the notices we have issued to serve as a final demand to organisations and that they will pay before we proceed to a fine," said the ICO's deputy chief executive officer Paul Arnold. "But we will not hesitate to use our powers if necessary.
"All organisations that are required to pay the data protection fee must prioritise payment or risk getting a formal letter from us outlining enforcement action."
The ICO, which employs 670 staff, says the fees help to fund the data regulator's work, which includes upholding information rights and conducting investigations into data breaches and complaints.
The regulator also produces a wealth of guidance for businesses and public sector bodies, especially in light of the introduction of GDPR, and the Data Protection Act 2018 (which cements the European regulations into UK law).
The ICO normally conducts several investigations simultaneously, but a massive proportion of resources have been poured into investigating 30 organisations, including Facebook and Cambridge Analytica, in a wide-reaching data misuse scandal.
Information Commissioner Elizabeth Denham indicated in an interim report, published earlier this year, that the ICO will fine Facebook 500,000 under the Data Protection Act 1998, the maximum permitted.
A significant increase in demand for guidance and information from SMBs has also seen the ICO set up a phone service to handle GDPR requests.
Calls to the helpline increased by 25% in the third quarter 2018 against the second quarter, according to the ICO's latest annual report, while demand for written advice rose by 40% compared to last year.
IT Pro asked the ICO whether it could disclose how many further letters are to be sent, and whether it had given informal reminders before taking enforcement action.
-
Third time lucky? Microsoft finally begins roll-out of controversial Recall featureNews The Windows Recall feature has been plagued by setbacks and backlash from security professionals
-
The UK government wants quantum technology out of the lab and in the hands of enterprisesNews The UK government has unveiled plans to invest £121 million in quantum computing projects in an effort to drive real-world applications and adoption rates.
-
ICO admits it's too slow dealing with complaints – so it's eying up automation to cut staff workloadsNews The UK's data protection authority has apologized for being slow to respond to data protection complaints, saying it's been overwhelmed by increased workloads.
-
“Limited resources” scupper ICO probe into EasyJet breachNews The decision to drop the probe has been described as “deeply concerning” by security practitioners
-
Surge in workplace monitoring prompts new ICO guidelines on employee privacyNews Detailed guidance on how to implement workplace monitoring could prevent data protection blunders
-
TikTok could be hit with £27m fine for failing to protect children's privacyNews Social media firm issued with a notice from the ICO for potential violations of UK data protection laws
-
What is AdTech and why is it at the heart of a regulation storm?In-depth The UK data regulator has come under heavy fire for consistently delaying much-needed action, privacy groups say
-
ICO crackdown on AI recruitment part of three-year vision to save businesses £100 millionNews ICO25 outlines a fresh approach that involves releasing learning materials, advice, and a new ICO-moderated discussion forum for businesses
-
Clearview AI fined £7.5m over improper use of UK dataNews Australian facial recognition firm collected 20 billion images from the internet without consent in order to build its database
-
UK data watchdog cut IT spending by £1.2 million during pandemicNews The ICO’s IT budget has been slashed by around 23% since 2019
