How to avoid a £400 fine – GDPR has only just begun
On 26 September 2018, the Information Commissioner’s Office (ICO) announced that it has commenced formal enforcement action against 34 organisations that have failed to pay the new data protection fee under the Data Protection Regulations 2018. It has also stated that more notices of its intent to fine organisations are in the drafting stage and will be issued soon.
The 34 notices of intent were sent to a range of organisations across both the public and private sectors. If faced with formal action, an organisation has 21 days to respond to the notice and pay the relevant fee to prevent any further action.
Targeting organisations that have failed to pay the data protection fee is a case of picking off the ‘low hanging fruit’ first. It’s fairly easy for the ICO to evidence non-compliance in this regard, as all organisations that process personal data must pay a fee to the ICO unless they are exempt.
The fee is part of the reforms which came into force with the GDPR on 25 May 2018. Organisations will need to register with the ICO as a data processor and pay an annual data protection fee. The money is used to fund the ICO’s data protection services, which have expanded under the GDPR to include the ICO advice line, more online resources and new guidance.
If an organisation fails to respond to an enforcement notice, it could result in a fine from £400 to £4,350 depending on the size and turnover of the organisation.
The ICO has issued guidance on the data protection fee and a tool for organisations to calculate how much they will need to pay see their website www.ico.org.uk
Organisations who paid a fee under the pre-GDPR system don’t have to pay the new fee until their current annual registration expires.
Requirements to comply under the GDPR
It is important to note that the fines for failing to pay the fee to the ICO are minimal compared to the potential fines for failing to comply with other obligations under GDPR, including ensuring that personal data is securely held and data subjects are provided with transparency information.
The information must be provided promptly and in a concise, transparent, intelligible and easily accessible form, using clear and plain language and include:
• The identity and contact details of the data controller;
• The contact details of the data protection officer (if applicable);
• The purpose of any processing and legal bases for processing;
• Where processing is based on legitimate interests, what they are;
• Any recipients of the personal data;
• Details of any transfers to third countries and means of safeguarding;
• The retention period or how it is decided;
• The right for individuals (data subjects) to ask the data controller to access, rectify, erase, restrict or transfer their data to another controller;
• Where processing is based on consent, the data subject’s right to withdraw consent;
• The right to complain to the ICO;
• Whether the provision of personal data is a statutory or contractual requirement or is necessary to enter into a contract, and whether the data subject is obliged to provide such personal data and the consequences of failure to do so;
• The existence of automated decision making (including profiling);
• Any further processing activities beyond the initial purpose.
One of the most common ways to provide individuals with this information is in a privacy notice. Under the GDPR, greater emphasis is placed on making privacy notices understandable and accessible by using the most appropriate mechanisms, for example, supplying them in a digital context on your website and/or email footers.
Providing a privacy notice is an important part of fair processing. To ensure transparency the Information Commissioner’s Office (ICO) recommends the following elements you will need to consider when planning a privacy notice:
• What information is being collected?
• Who is collecting it?
• How is it collected?
• Why is it being collected?
• How will it be used?
• Who will it be shared with?
• What will be the effect of this on the individuals concerned?
• Is the intended use likely to cause individuals to object or complain?