Have you paid the ICO Data Protection Fee?

Under the Data Protection (Charges and Information) Regulations 2018 (Regulations) it is a legal requirement for most companies to register and pay a fee to the Information Commissioner’s Office (ICO).  Online registration and payment  is relatively straightforward, taking around 15 minutes. Non-payment can result in hefty fines and attract adverse publicity because the ICO holds a searchable list on its website of all organisations that have registered and paid.

Who needs to pay?

The Regulations require every ‘data controller’ who is processing personal information to pay the fee, subject to limited exceptions below. Most organisations will handle personal data of customers as ‘data controllers’ in one form or another, so they will need to register with the ICO website. Although controllers decide how data is handled and used, they may also instruct another party, a ‘data processor’, to carry out the task of processing the data. A ‘data processor’, who merely processes the data under the instruction of the data controller, is not liable to pay the data protection fee. We suggest you refer to our earlier article, if you would like further clarification about the concept of a data controller and processor.

Am I exempt?

There is no requirement to pay the fee if you are a controller who is processing personal data only for one or more of the following purposes:

• staff administration
• advertising, marketing, or PR
• accounts or record keeping
• not-for-profit purposes
• personal, family or household affairs
• maintaining a public register
• judicial functions
• processing personal information without an automated system e.g., computer

The ICO self-assessment tool can be used to determine if your organisation is exempt.

Even if you are exempt, it is advisable to voluntarily complete this online form so that the ICO can keep up-to-date records. Although you may be currently exempt, you should regularly review the scope of your data processing activity to check whether this has moved beyond the scope of the exemptions, whereby a fee becomes payable.

What are the fees?

There are three tiers of fees, subject to the size and turnover of your organisation:

1. £40 – micro-organisations with a maximum of: 10 staff or turnover of now more than £632,000
2. £60 – small and medium sized organisations with a maximum of: 250 staff or a turnover of no more than £36m
3. £2900 – larger organisations with over 250 staff or a turnover of more than £36m.

Fees do not incur VAT and are subject to a £5 reduction if payment is made by direct debit.

Charities (that are not subject to exemptions applicable to non-for-profit organisations) and small occupational pension schemes are only liable to a Tier 1 fee irrespective of their size and turnover. Public authorities are only categorised by their number of staff

Comment

If in doubt as to whether a data protection fee is payable, an ICO helpline is available on 0303 123 1113. In such circumstances it may be advisable to err on the side of caution and pay the fee as it is likely to be only £40 or £60 per annum for most organisations. This is because the data protection fee is actively enforced by the ICO, and they will fine organisations in default. The ICO ma also target those who are registered with Companies House but do not yet appear on the ICO register, as the Companies House details are on public record. Penalties apply for non-payment or the incorrect level of payment, up to a maximum of £4,350 (150% of Tier 3 payment). Organisations need to be particularly mindful to check if they are liable to pay the fee when registering a company for the first time, although thereafter they will be issued with an annual reminder by the ICO. If you would like further information, please refer to the ICO data protection guide for controllers or contact our Commercial/IP team.