• To coincide with the General Data Protection Regulation (“GDPR”) coming into effect on 25 May 2018 organisations that control data and determine the purpose for which data is processed (“controllers”) must pay the Information Commissioner’s Office (“ICO”) a fee unless they are exempt. These fees will fund the work that the ICO conduct. This replaces the existing notification fee organisations must currently pay to the ICO.

    A tier system has been created for controllers to see how much their fee will be.

    Tier 1

    For micro-organisations. These consist of organisations with a maximum annual turnover of £632,000 or a staff count of no more than 10 members of staff. This fee is £40.00.

    Tier 2

    For small and medium organisations. These consist of having a maximum annual turnover of £36 million or no more than 250 members of staff. This fee is £60.00.

    Tier 3

    For large organisations. these are any organisations that do not fit within Tier 1 or Tier 2. Their fee is £2,900.00.

    In order to calculate the number of “members of staff” all employees, workers, office holders and partners (whether UK-based or overseas) should be included and the average number working for the organisation during each financial year should be calculated.

    There are limited exceptions to the tier-based rules. Public authorities are only categorised into a tier based on their staff members count, not their turnover. Charities will only ever be liable to a Tier 1 fee regardless of how many staff members they have. Furthermore, small occupational pension schemes will also only have to pay the Tier 1 fee regardless of their staff member count or turnover.

    There are some exemptions to the need to pay the fee. It is not a legal requirement to pay a fee to the ICO if you are only processing data for one of the listed reasons:

    • Staff administration
    • Accounts and records
    • Advertising, marketing and public relations
    • Not for profit purposes
    • Maintaining a public register
    • Personal, family or household affairs
    • Processing personal information without an automated system such as a computer
    • Judicial functions

    The maximum penalty for not paying the fee is a fine of £4,350.

    Controllers with a current registration will not have to pay the fee until their notification has expired (12 months after the last renewal).

    If your organisation would like to seek any advice regarding GDPR then please get in touch with our Employment Team.

    This content is correct at time of publication

    Can we help?

    Take a look at our Commercial Law, Data Protection and GDPR page for useful information, resources, guidance, details of our team and how we may be able to help you

  • Get in touch

    Please fill out the below form or alternatively you can call us on 01622 690691

      By submitting an enquiry through 'get in touch' your data will only be used to contact you regarding your enquiry. If you subscribe to any of our newsletters, you can unsubscribe any time using the link in the email. Please view our privacy statement for more information