The Data Protection Fee

The Data Protection Fee

To coincide with the General Data Protection Regulation (“GDPR”) coming into effect on 25 May 2018 organisations that control data and determine the purpose for which data is processed (“controllers”) must pay the Information Commissioner’s Office (“ICO”) a fee unless they are exempt. These fees will fund the work that the ICO conduct. This replaces the existing notification fee organisations must currently pay to the ICO.

A tier system has been created for controllers to see how much their fee will be.

Tier 1

For micro-organisations. These consist of organisations with a maximum annual turnover of £632,000 or a staff count of no more than 10 members of staff. This fee is £40.00.

Tier 2

For small and medium organisations. These consist of having a maximum annual turnover of £36 million or no more than 250 members of staff. This fee is £60.00.

Tier 3

For large organisations. these are any organisations that do not fit within Tier 1 or Tier 2. Their fee is £2,900.00.

In order to calculate the number of “members of staff” all employees, workers, office holders and partners (whether UK-based or overseas) should be included and the average number working for the organisation during each financial year should be calculated.

There are limited exceptions to the tier-based rules. Public authorities are only categorised into a tier based on their staff members count, not their turnover. Charities will only ever be liable to a Tier 1 fee regardless of how many staff members they have. Furthermore, small occupational pension schemes will also only have to pay the Tier 1 fee regardless of their staff member count or turnover.

There are some exemptions to the need to pay the fee. It is not a legal requirement to pay a fee to the ICO if you are only processing data for one of the listed reasons:

  • Staff administration   
  • Accounts and records
  • Advertising, marketing and public relations
  • Not for profit purposes
  • Maintaining a public register
  • Personal, family or household affairs
  • Processing personal information without an automated system such as a computer
  • Judicial functions

The maximum penalty for not paying the fee is a fine of £4,350.

Controllers with a current registration will not have to pay the fee until their notification has expired (12 months after the last renewal).

If your organisation would like to seek any advice regarding GDPR then please get in touch with our Employment Team.