The ICO has issued a penalty notice to over 100 organisations for failing to pay their data protection fee. Failing to pay this fee due to an innocent mistake may not be accepted as a viable excuse, as demonstrated by the recent judgement in Farrow & Ball Limited v The Information Commissioner (Dismissed) [2019] UKFTT 2018_0269 (GRC).
Under the Data Protection (Charges and Information) Regulations 2018, UK organisations are required to pay the ICO an annual data protection fee unless they are exempt. The fee payable depends on the tier of the organisation, and ranges from £40 to £2,900.
In December 2018, we published an update explaining that the ICO had sent over nine hundred letters of intent to organisations that had not paid their fee, and that it intended to issue penalty notices and fines where necessary.
In 2018, 103 such notices were issued by the ICO. This included a £4,000 penalty notice issued against paint and wallpaper company Farrow & Ball Limited for its failure to pay the £2,900 data protection fee required of a tier 3 organisation.
Farrow & Ball appealed this penalty notice at the First Tier Tribunal (Information Rights) in March 2019 on the basis that its failure to pay was an innocent mistake, as:
- the ICO’s reminder was sent when the relevant individual was on holiday;
- the reminder was not identified as important internally;
- Farrow & Ball contacted the ICO promptly once the failure was identified and paid the fee immediately; and
- Farrow & Ball has put procedures in place to ensure it will not happen again.
However, in its first ruling of an appeal against such a notice, the Tribunal held that Farrow & Ball did not have a reasonable excuse for non-compliance as a “reasonable controller” would have systems in place to comply with the 2018 Regulations and there was no particular difficulty or misfortune which explained Farrow & Ball’s departure from the expected standards of a “reasonable controller”. There was no evidence of financial hardship or other reason for the ICO’s discretion to be exercised differently. The penalty notice was therefore upheld.
The outcome of this appeal serves as a reminder of the importance of complying with the 2018 Regulations. Subject to any further appeal by Farrow & Ball, it is likely that a similar approach will be taken by the Tribunal in any appeals brought in future.
The ICO has also recently published a blog explaining why businesses that process personal data need to pay the data protection fee. Paul Arnold, ICO Deputy Chief Executive, suggests that in addition to it being the law to pay the fee, it also makes good business sense and has an impact on an organisation’s reputation. It tells your customers that you care about and protect their information, and offers reassurance to other organisations doing business with you.
Organisations can pay the data protection fee on the ICO’s website, which takes about 15 minutes to complete. If you are not sure whether you need to pay a fee to the ICO, you can use the ICO’s self-assessment tool to find out.