Using the advanced mathematical techniques employed by those calculating the benefits of Brexit, this blog has been able to deduce the level of the proposed “replacement-for-notification-fees”, levied on controllers, to meet the costs of the ICO under the GDPR.
I can report that these fees are set to rise significantly (at least 50% across the board). Indeed, those paying the current registration fee of £500 per year might find themselves paying just short of £7K per annum. Fees well north of £2K can be expected to be the norm for those larger controllers who have to register under the new regime.
As is well known, the GDPR abolishes notification to the ICO (and its related fee structure; large controllers pay £500, the rest £35). It has been widely reported that the Government are going to introduce a replacement fee that data controllers will have to pay.
Indeed, there is a new clause in the Digital Economy Bill “that confers a power on the Secretary of State by regulations to require data controllers to pay charges of an amount specified in the regulations to the Information Commissioner”.
The clause also explains that there is “a related power for the Secretary of State by regulations to require a data controller to provide information to the Information Commissioner, or to enable the Commissioner to require a data controller to provide information, for the purposes of determining whether a charge is payable and the amount of any such charge.”
Sadly, those who have reported on these matters have not gone on to ask the obvious question: “how much will the new annual fee be, given that the ICO wants 200 more staff?”.
Two hundred staff, you say? Ms Denham told a House of Lords committee exploring adequacy of the UK DPA that: "With the coming of the General Data Protection Regulation we will have more responsibilities, we will have new enforcement powers. …. We have given the government an estimate that we will need a further 200 people in order to be able to do the job”.
So now to the sums
Currently there are 384 permanent staff which according to the 2016 Annual Report (page 77), staff costs £14,125 million. So, using the same proportion re staff costs, if the ICO wants 200 more permanent staff, then 584 staff will cost about £21,482 million. In other words, we can estimate that all ICO costs (including wage costs) will increase by an approximate multiplying factor of 584/384 or 1.52 (assuming no Treasury hand-out).
For instance, the total net yearly expenditure of the ICO is reported as £23.2 million for data protection; the enlarged ICO can be estimated as costing 1.52 times that amount (£35.3 million). If registration fees have to cover these costs from say a list of 20,000 registered data controllers on a reduced register, that is about £1,800 per year.
What happens if the register has the same number of controllers? What are the estimated costs here. As the new “replacement-for-notification fees” (in theory) has to pay for the new ICO costs to meet GDPR regulation, we can use the multiplier of 1.52. It follows that these new fees have to be about £53 (i.e. £35*1.52) for the vast number of controllers and £760 (£500*1.52) for the large controllers.
To get to other options, we have to use the fact that the 2016 Annual Report states that notification fees were £18,311,000 and that on the public register (as of this week) there were 469,414 registered data controllers (see references).
These two numbers are sufficient to calculate the number of large controllers paying £500 for their notification. So, let N be the number of data controllers paying £500; the notification fees from these controllers is therefore £500N. It follows that the remaining data controllers (i.e. 469,414-N) pay £35; their total notification fees is therefore £35*(469,414-N).
This means we can equate the sum of these two components with the total registration fee of £18,311,000 and work out the value of N.
It follows that:
£500N+£35*(469,414-N) = £18,311,000 . This is rearranged…
(500N-35N)=465N=18,311,000-35*469,414 = 1,881,510
N=1,881,510/465 =4046 and (469,414-N) = 465,368
So, there are 4,046 controllers paying £500 and 465,368 paying £35; get a calculator to do the sum 4,046*£500 + 465,368*£35. Should get around £18,311,000 – minus minor round up error.
What would happen if the new notification fee for most controllers remained at £35 and not increased to £53? This appears attractive because one does not want to antagonise a community of data controllers who are happily forking out £35 per annum at the moment.
If there is to be no Treasury hand-out for the ICO, it follows that any shortfall in fees from controllers paying £35 has to be made up by large controllers currently paying £500.
In other words, 465,368 data controllers each have a £18 shortfall (£53-£35) and this has to be transferred to the 4,046 large data controllers’ notification fees. So, 465,368*£18 (£16,287,740) has to be distributed between 4,046 controllers; this works out to be £4,025 per large controller. Add to the £750 you already have, and you get a number just shy of £5K (£4,800) per year.
If only large (£500) data controllers pay registration fees (i.e. £35 data controllers don’t have to register), merely divide the ICO new costs (i.e. current ICO plus 200 extra staff) of about £35.3 million by 4000-5000; you get a number that is at least £7K per controller.
Well, I think it will be politically attractive to sting large controllers for £7K as it avoids 465,368 data controllers moaning about £53 every year. After all, if you have a controller with a turnover greater than £25.9 million, £7K will hardly be noticed. .
I also suspect that somebody in Government, when it announced the new registration policy did not do the sums, or if they did the sums, they subsequently decided to keep very quiet for obvious reasons.
Hmmmm? Not working out the financial consequences of a decision or keeping stumm as there is nothing positive to say? Reminds one of the Government’s approach towards Brexit.
Forthcoming Amberhawk’s courses in early summer
- Next GDPR Workshop: 19 April (London)
- DP Practitioner Course: Starts 8 May (BCS syllabus; Edinburgh)
- DP Practitioner Course: Starts 6 June (BCS syllabus; Leeds)
Government’s notification fee replacement announcement: https://www.publications.parliament.uk/pa/bills/lbill/2016-2017/0102/17102-further-supplementary-delegated-powers-memorandum(2).pdf
Number of data controllers from https://ico.org.uk/about-the-ico/what-we-do/register-of-data-controllers/download-the-register
ICO Annual Report 2015/2016 (page 19) https://ico.org.uk/media/about-the-ico/documents/1624517/annual-report-2015-16.pdf