Data Protection – Feeling Fines

8 January, 2019

In the build up to the General Data Protection Regulation (GDPR) coming into force, much of the attention was focused on the eye-watering potential fines (€20m or 4% of turnover). We’re still waiting to see how significant those fines might end up being in practice, since the timescale for enforcement action means we’re still seeing fines being handed out for breaches of pre-GDPR law. Late last year the UK Information Commissioner’s Office (ICO) fined Uber £385,000 in relation to a 2016 data breach. Because the breach was of the Data Protection Act 1998, the maximum fine was £500,000. Time will tell whether a 2019 breach ends up attracting a higher fine.

kchung (c)

The fines so far

In fact, the majority of fines which relate to post 25 May 2018 activity (or inactivity) are comparatively low, and don’t relate to data breaches at all, but non-payment of fees.

When the GDPR came into force (together with the UK’s Data Protection Act 2018) the UK also implemented the Data Protection (Charges and Information) Regulations 2018, which replaced the old “notification requirements” with a new data protection fee.

Failure to pay the fee can result in a fine of up to £4,350 (some way short of €20m) and the ICO confirmed that it has already issued fines for failure to pay fees.

There is some good news however, under the Data Protection Act 1998, failure to notify the ICO and pay their fee was a criminal offence. Failure to pay the new data protection fee is only a civil offence.

Fee Fine Fo Fum

So, how do you tell if you need to pay a fee, and how much is it?

Well the new structure has three tiers (£40, £60 or £2,900 per year) depending on size and turnover. There are some exemptions available (the ICO have a self assessment test here) but if you were already registered with the ICO, you’ll most likely need to pay the fee (although new fees aren’t due until the old registration expires).

Don’t forget, if you have a group of companies which act as data controllers, each individual company will need to pay a data protection fee, although you may want to contact the ICO directly to discuss how this operates.

For more information on data protection, please contact Elliot Fry at or on +44 (0)1732 224 034

For updates from us and the latest Tech news follow us on Twitter @CrippsTechLaw