The Information Commissioner's Office has issued a fresh advisory to all small businesses operating in the UK, asking them to pay their data protection fees not only to stay afloat but also to avoid fines under GDPR.
The GDPR, which came into effect in May last year, requires organisations that process personal information to pay data protection fees to the ICO. By paying the fee, which ranges from £40 to £2,900 depending upon the type and size of an organisation, an organisation will find a place in the ICO's register of data controllers.
A majority of organisations in the UK are required to pay either £40 or £60 as data protection fee but charities and small occupational pension schemes pay £40 regardless of their size and turnover.
In a blog post, Paul Arnold, deputy chief at the ICO, explained to small businesses why it is beneficial for them to pay the data protection fee, stating that not only is it lawful to do so but also because doing their same preserves their reputation as guarantors of customer data security.
"It’s the law to pay the fee, which funds the ICO’s work, but it also makes good business sense. Because whether or not you’ve paid the fee could have an impact on your reputation. When you’ve paid, your business is published on our register of data controllers. Members of the public and other companies check that list before they decide to do business.
"We speak to thousands of people and organisations every week and it’s clear that being on the register tells others a lot about you. It’s a strong message for your customers – it lets them know that you value and care about their information and that you’re more likely to keep it secure and not share it inappropriately.
"It also lets other organisations know that you run a tight ship and that you’re aware of your data protection obligations. It indicates that you’re more likely to take your other data protection responsibilities seriously too. It’s a reassurance for those thinking of doing business with you," Arnold wrote.
Fines for not paying data protection fee could be ten times as much
If organisations are processing customer data but are not paying the data protection fee, they risk being fined between £400 and £4,000 under provisions of GDPR. What this means is that fines for small businesses with modest turnover could be over ten times as much as the fee they're required to pay.
According to the ICO, organisations across the UK have so far received 103 penalty notices for failing to pay the data protection fee following the arrival of GDPR. As many as 900 notices of intent to fine have also been issued by the ICO since September last year.
"You are breaking the law if you process personal data or are responsible for processing it and do not pay the data protection fee to the ICO. We produce lots of guidance for organisations on our website to help them decide whether they need to pay and how they can do this," Arnold said in November last year.
While small businesses employing fewer than ten employees are required to pay £40 as data protection fee, small and medium businesses are required to pay £60, and only those organisations that employ over 250 people or have a turnover in excess of £36 million are required to pay a minimum £2,900 as data protection fee.
38% of small businesses spend next to nothing on cyber security
Small businesses unaware of cyber risk, says CSID research