Since the General Data Protection Regulation (GDPR) came into force on 25 May 2018, organisations that define how and why personal data is processed, shortly named Controllers have been required to pay higher fees to the Information Commissioner’s Office.
Don’t get these confused with the fines for violating the GDPR itself, these fines are much smaller and go directly to the ICO. Organisations with fewer than 10 staff pay £40, SMEs are charged £60, and those with more than 250 staff or a £36m-plus turnover pay £2,900 a year. The fines are tiered, up to £400, £600 and £4,000 respectively.
Back in September 2018, the ICO sent out a warning letter to those that failed to pay, and then in March 2019 started issuing the first wave of penalty notices. Though previously unnamed these organisations are now put in the spotlight on the ICO’s website.
Most notably the list includes gaming company Ubisoft Reflections and NetApp. Other late payers include Gigya UK, Conde Nast, pizza chain Prezzo and construction firm Caterpillar.
The ICO cites privacy reasons for not including any sole traders who have been issued a penalty notice (PN).