Data Protection Fee: have you received a letter from the ICO?

Under the Data Protection (Charges and Information) Regulations 2018, individuals and organisations that process personal data need to pay a data protection fee to the Information Commissioner’s Office (ICO), unless they are exempt.

The ICO have recently launched a campaign to contact all registered companies in the UK to remind them of their legal responsibilities to pay a data protection fee if required. 

We know data protection legislation can be complicated and we are here to help. The reminders we are sending to organisations are to help make it easy to comply with the law as well as access a great deal of advice and support available from the ICO.

Paul Arnold, Deputy Chief Executive, Information Commissioner’s Office

Data Protection Fee

The new data protection fee replaces the requirement to ‘notify’ (or register), which was in the Data Protection Act 1998 (the 1998 Act).

Business have recently begun to receive letters informing them of this, but there is no need to panic! The ICO website has some useful resources to help you find out if you are or your business or organisation are required to pay the fee. Do not ignore the letter, as penalties are in place if the required fees are not paid.

Find out more about paying the data protection fee here.

What are the fees?

There are three different tiers of fee, depending on the size of the organisation.

  • Tier 1 – micro organisations (£40 fee): Maximum turnover of £632,000 with no more than 10 members of staff.
  • Tier 2 – small and medium organisations (£60 fee): Maximum turnover of £36 million with no more than 250 members of staff.
  • Tier 3 – large organisations (£2,900 fee): If you do not meet the criteria for Tier 1 or 2, you are regarded as Tier 3. Please note, the ICO considers Tier 3 the default tier unless and until you tell them otherwise!

You are also eligible for a £5 discount if you elect to pay by direct debit. If you do not pay your fee, there is a penalty fine of up to £4,350 (150% of the Tier 3 fee).

Who is exempt?

On 1 April 2019, the rules around paying the data protection fee changed. Members of the House of Lords, elected representatives and prospective representatives (including police and crime commissioners) are exempt from paying a fee, unless they process personal data for purposes other than the exercise of their functions as a Member of the House of Lords, an elected representative or as a prospective representative.

Further exceptions

  • Public authorities should categorise themselves according to staff numbers only, and do not need to consider turnover.
  • Charities that are not otherwise subject to an exemption are only liable to pay the Tier 1 fee, regardless of size or turnover.
  • Small occupational pension schemes that are not otherwise subject to an exemption will only be liable to pay the Tier 1 fee, regardless of size or turnover.

Find out if you need to pay

An online self-assessment is available from which you will be able to decide if you – as an individual or on behalf of your business or organisation – need to pay a fee to the ICO, and at what tier.

Take the self-assessment test

If you have received a letter from the ICO, further guidance on the data protection fee can be found on their website to help you comply with your GDPR obligations. For further help and advice, call the ICO’s small business helpline on 0303 123 1113 between 9am – 5pm, Monday to Friday (excluding Bank Holidays).