A guide to the ICO’s data protection fee

Do you know if you need to pay? Recent campaigns have reminded SMEs of their legal responsibility to pay a data protection fee. Organisations have been warned of scams relating to payment of the data protection fee, so here we lay out the information you need to know to stay on the right side of the law.

What is the data protection fee?

In today’s digital age, data protection has become a crucial issue for businesses and individuals alike. The Information Commissioner’s Office (ICO) is the UK’s independent watchdog ensuring that personal data doesn’t end up in the wrong paws. One of the ways the ICO funds its activities is through the collection of a data protection fee from organisations that process personal data. The fee is used to fund the ICO’s activities in investigating breaches, providing guidance and support to businesses and the public on data protection issues, and enforcing data protection regulations.

On 25 May 2018, Data Protection (Charges and Information) Regulations 2018 came into force, changing the way the ICO funds its data protection work.

If you are paying for the first time, you will need to give the ICO certain information, such as the name of your organisation, the best way to contact you and the fee tier which you think you fall into.

Who needs to pay the fee?

The fee is payable by organisations that process personal data, subject to some exemptions. The exemptions are quite narrow, for example organisations which only process personal data for staff administration purposes or not-for-profit organisations that only process personal data for fundraising purposes.

If you’re not sure if you are required to pay the fee, you can use the ICO’s self-assessment tool.

How much is the fee?

There are three tiers of fees, based on the nature, size and turnover of your organisation. The fees range from £40 to £2,900 per year. You can carry out an online assessment to determine the fee payable.

How to pay the fee

Organisations can pay the fee online through the ICO’s website. The fee is payable annually, and organisations must renew their payment every year. The ICO is warning companies to be aware of scams relating to payment of the data protection fee, so it is best to do this directly with the ICO online rather than through a link in a letter or email.

Failure to pay the fee can result in enforcement action by the ICO, including fines of up to £4,350 and legal proceedings. The ICO also ‘name and shame’ the organisations which have been issued with penalty notices for not paying the fee. The data protection fee is a small price to pay for peace of mind.

How we can help

For further advice and support with data protection compliance, please contact our specialist data protection team.