One of the regulatory requirements missing from the General Data Protection Regulation (GDPR) is the requirement to register your data processing activities with a supervisory authority (the ICO in the UK). Under the current regime of the Data Protection Act 1998 there is both a requirement to register and pay a fee to the ICO. The fees collected by the ICO go towards the running of the ICO (contrary to popular belief, ICO fines go to the Government not to the ICO).
If you’re thinking, great, under GDPR I don’t need to register or pay a fee for registering, you’re going to be disappointed.
The recently passed Digital Economy Act 2017 contains provisions (Part 6) on “Charges payable to the Information Commissioner” which enable the government to introduce regulations for a charging and registration regime for the ICO.
Today, the ICO have clarified this element of the Act and how it fits with the GDPR in a blog post. In essence it means that whilst the GDPR doesn’t include a requirement for notifying or paying the statutory authority, the Digital Economy Act does. It will be up to the DCMS (the ICO’s sponsoring, government, department) to introduce the regulation as well as sort out the fee and registration regime. We can probably expect a consultation on the structure, although the ICO suggest it will be a three-tier system and will come into force on 1st April 2018. The blog post also addresses some obvious questions like should you re-register now before the new scheme comes into place and what happens if you renew now, will you be expected to re-register in April?