The Data Protection (Charges and Information) Regulations 2018 requires every organisation or sole trader who processes personal information to pay a Data Protection Fee to the ICO, unless they are exempt.

This briefing note will give you some guidance on how you can check whether you need to register, and if you do, how much the cost will be. The Data Protection Fee replaces the requirement to ‘notify’ (or register), which was in the old Data Protection Act 1998. Controllers who have a current registration (or notification) under the 1998 Act do not have to pay the new fee until that registration has expired.

Does the Data Protection Act 2018 and the GDPR apply to my organisation?

Yes, if you have information that can identify individuals (personal data) for any business or other non-household purpose. The law applies to any ‘processing of personal data’, and will catch most businesses and organisations, whatever their size.

How do I notify and register with the ICO?

You can notify the ICO by either:

  1. Filling in an online notification form, printing it out and sending it to the ICO
  2. Completing a notification form request and posting it to the ICO
  3. Calling ICO’s fees helpline (0303 123 1113) and requesting a notification form

You will need to fill in details of your organisation and a general description of the processing of personal information being carried out by the data controller. It should take you around 15 minutes to complete.

How much does it cost to register with the ICO?

The data protection fee charged by the ICO depends on the size of your organisation or turnover.  There are three different tiers of fees controllers are expected to pay - £40, £60 or £2,900. For most organisations, the cost will be £40 or £60. The ICO has developed a fee assessment tool. That tool will help you ascertain which fee is payable.

The tier that your organisation falls into depends on:

  • how many members of staff you have;
  • your annual turnover;
  • whether your organisation is a public authority;
  • whether your organisation is charity; or
  • whether your organisation is a small occupational pension scheme.

Tier 1 – Micro Organisations

You have a maximum turnover of £632,000 for your financial year or no more than 10 members of staff.  The fee for tier 1 is £40.

Tier 2 – Small and Medium Organisations

You have a maximum turnover of £36 million for your financial year or no more than 250 members of staff. The fee for tier 2 is £60.

Tier 3 – Large Organisations

If you do not meet the criteria for tier 1 or tier 2, you have to pay the tier 3 fee of £2,900.

The ICO gives a £5 discount for payments by direct debit.

What could happen if I don’t pay the Data Protection Fee?

Failure to pay the Data Protection Fee is now a civil offence. The ICO has begun formal enforcement action against organisations who have not paid the fee. The ICO will send a notice of its intention to fine an organisation unless they pay. Those that do not pay could face a fine of up to £4,350. Organisations have 21 days to respond to the notices

What happens when I am registered with the ICO?

Once you have successfully notified the ICO, the details of your organisation will be entered on the register of data controllers, and your organisation should be visible on the public register held by the ICO, which will include:

  • the data protection registration number given to you;
  • the level of fee you have paid (that is, tier 1, tier 2 or tier 3);
  • the date you paid the fee and when it is due to expire;
  • any other trading names you have; and,
  • name and contact details for your Data Protection Officer (DPO), if you have one.

The ICO will usually email a receipt to you within 1-3 working days of completing your transaction.

Do I need to renew my registration with the ICO each year?

Yes, you will need to renew your registration each year. The ICO will email you around 6 weeks before your registration expires. We recommend that you diarize the renewal date and make your administration and finance teams aware of the renewal deadline.  

What else should my business be doing?

Organisations should continue to raise awareness of Data Protection risks in their business and ensure that they – and their staff - are aware of all the potential risks.

We have established a multi-disciplinary team to assist with all areas of Data Protection our commercial, company, employment, and Intellectual Property teams are available to address any queries.

GDPR/Data Protection Audit

We recommend that organisations carry out a detailed GDPR/Data Protection audit.