Do you have to pay the ICO data protection fee?
In general, all organisations (including small businesses or freelancers) in the UK which process personal data as a controller must pay the data protection fee to the ICO.
We often come across this question from our clients operating in the United Kingdom. The general rule is that if your business processes personal data, then you will be required to pay the data protection fee to the ICO. We therefore thought we would set out a quick overview of the rules here!
Are there any exemptions to payment of the ICO data protection fee?
Businesses will be exempt from paying the data protection fee if they are only processing personal data for one of the below reasons:
Staff administration
Advertising, marketing and public relations
Accounts and records
Non-profit purposes
Personal, family or household affairs
Maintaining a public register
Processing personal information without an automated system such as a computer.
To be on the safe side, it is best to use the ICO’s self-assessment tool which is available on their website to see whether or not you do need to pay the fee.
The ICO tool will allow you to establish whether your business needs to pay the fee, what tier your organisation fits into, and the amount of the data protection fee that you will be required to pay. More on this below.
If I do have to pay the ICO data protection fee, how much is it?
This will vary depending on the size of your business, your turnover, and the type of organisation you are. The fee varies from £40 to £2,900 and depends on which tier your organisation fits into.
There are three types of organisations that the ICO has categorised into 3 tiers. These are as follows:
1) Tier 1 – micro-organisations: £40 fee.
This applies if your business has a maximum turnover of £632,000 (per financial year) and a maximum of 10 members of staff (including yourself).
2) Tier 2 – small and medium organisations: £60 fee.
This applies if you have a maximum turnover of £36 million (per financial year) and a maximum of 250 members of staff.
3) Tier 3 – large organisations: £2,900 fee.
This final tier applies to all organisations who do not fit the guidelines of tier 1 or tier 2; this includes all controllers (unless proved otherwise).
Remember: all staff members count – including those who are part-time and working overseas.
If I do have to pay a fee, how do I pay?
If you are paying for the first time:
You can submit your information via the ICO website here - giving details of your organisation including turnover and number of staff. The ICO will then determine the tier of your organisation and charge you the fee accordingly.
If you are already registered:
The ICO will decide what tier your organisation is classed in based on the information you have previously provided. If you think there is an error – contact the ICO (via phone or email) – their details are on their website.
Note - if you were previously registered under Data Protection Act 1998 - you will only need to pay the new data protection fee when your registration expires - you will be notified of this by the ICO.
Remember – if your registration expires – you will automatically be required to pay tier 3 fee. To avoid this happening, notify the ICO as soon as possible in order to establish what tier your organisation is classed in.
Are there any consequences if I don’t pay the data protection fee when I am supposed to?
Yes. The maximum penalty for failure to pay the ICO data protection fee when you are supposed to is a fine of £4,350 (150% of the top tier fee). You will be subject to this penalty if you have not paid a fee or have paid the incorrect fee.
If you need any further advice about the ICO data protection fee or any other assistance regarding our UK data processing practices then please do not hesitate to contact us!
Article by Gabrielle O’Sullivan @ Gerrish Legal, August 2021