Does your organisation need to pay the ICO data protection fee? The short answer is yes, if you are processing personal information as a data controller unless you are exempt. Our guide explains all you need to know about the ICO data protection fee for UK businesses.
What is the ICO data protection fee?
The ICO data protection fee is a new requirement (from 25 May 2018) for data controllers in the UK to pay a fee to the ICO (unless exempt) under The Data Protection (Charges and Information) Regulations 2018 S.2(2).
Prior to this, it was a requirement under European law for a data controller (unless exempt and subject to the laws of individual member states) to make a notification to the relevant supervisory authority (the ICO in the UK) before processing sensitive personal data. When the General Data Protection Regulation (GDPR) came into effect, it removed the obligation for notification under European law.
As notification fees had previously funded much of the ICO’s data protection work, the abolition of these fees would considerably impact the ICO budget. Consequently, domestic fee legislation was enacted to address the shortfall.
Who has to pay the ICO data protection fee?
To find out if you need to pay the ICO data protection fee you should use the ICO self-assessment checker.
Many registered companies will be contacted by the ICO over the coming months as part of a campaign to remind them of their legal responsibility under the Data Protection Act 2018 (‘DPA 2018’) to pay a data protection fee.
The amount that you are required to pay depends on your organisation’s size and annual turnover. For most the fee is £40 or £60 per year with a maximum fee of £2,900.
Exemptions from the obligation to pay the fee
Generally speaking, you don’t need to pay a fee if you are only processing personal data for one of the following purposes:
- Staff administration
- Advertising and marketing
- Maintaining accounts and records
Other less common reasons for exemptions are processing personal data that is for: personal or household affairs, judicial functions, maintaining a public register, not-for profit and manual (i.e. non-automated) processing.
If you are controlling and processing personal data for other purposes, it is likely that you will need to pay the fee. To avoid contact from the ICO you should either pay the fee or complete this form explaining why your organisation is exempt.
How to pay the ICO data protection fee
To pay the fee you need to register online.
As well as publishing the names of all fee-paying organisations, the ICO will name organisations that it needs to fine. The maximum fine for non-payment is £4,000 on top of the fee you are required to pay. Therefore, to avoid penalties and to ensure that you comply with your obligations under the DPA 2018, we recommend that you self-assess using the link above.