Do I need to register with the ICO and pay a data protection fee?
Most organisations that process personal information are required by law to pay a ’data protection’ fee to the ICO. We look at who the ICO is and tell you everything you need to know about the data protection fee.
Who is the ICO?
The Information Commissioners Office, known as the ICO, is an independent body that upholds information rights in the UK. As the UK regulator, the ICO oversees all aspects of data protection including the fee register, data protection legislation, guidance on data protection and the use of technology as well as any complaints.
The ICO aims to protect the rights of individuals over their own data. The organisation ensures that any business or organisation processing that personal information respects those rights. It provides a forum through which to complain about data privacy concerns and takes action against those that are believed to have abused individuals’ rights.
What is the ICO data protection fee?
The ICO data protection fee was introduced in May 2018 as part of the Data Protection Act 2018 which sits alongside the General Data Protection Regulation.
The fee is paid by organisations that process personal data and this money funds the work of the ICO. All those who have paid their data protection fee are listed on the register of fee payers maintained by the ICO.
Who needs to pay the data protection fee?
If you store people’s contact details for your business you are ‘processing’ personal information and so potentially covered by this requirement.
Businesses from sole traders and independent practitioners up to multinational companies and global charities are required to pay the fee unless, under certain circumstances, they are exempt.
Who is exempt from registering with the ICO?
The scope for exemption is fairly limited. The ICO is clear, for example, that if you have CCTV you must pay the fee and if you are an ‘independent consultant’, you must pay the fee.
There are a few exemptions. If you only keep paper records, you don’t need to pay the fee. Sadly, that doesn’t cover many 21st Century businesses! If you are, for example, a small business in the construction sector that only uses the information for staff administration, accounts and your own marketing, you may be exempt.
If you think you might be exempt, the best way to be sure is to use the ICO self-assessment.
Why is there a data protection fee?
The data protection fees fund the ICO’s work (contrary to some reports, the ICO doesn’t get any income from fines it imposes).
Last year, the ICO collected around £40 million in fees from businesses but its income should probably be at least double that if all non-exempt businesses actually pay up. It expects to collect over £46million in fee payments this financial year.
How much is the ICO data protection fee?
The data protection fee is set by Parliament and varies depending on the size and turnover of your business. It is based on the risk that is believed to be presented by your data processing.
For most organisations, including small and medium enterprises, the fee is between £40 and £60 a year. For a small business the fee is £40 and if you pay by direct debit (which is handy so that you don’t forget to renew) this is reduced to £35 a year.
Why should I pay the fee to the ICO?
If you’re subject to the requirement, it’s important that you keep paying these fees. The ICO can impose financial penalties on companies that do not pay. You might think it’s too much work for the ICO to come looking for businesses that don’t pay the fee – but you’d be wrong. The ICO has approached thousands of businesses in past months about their failure to pay the fee and has started issuing penalties for non-payment. Find out about the ICO data protection fee campaign.
The ICO publishes a list of all fee-paying companies so it will be obvious to your customers and competitors that if you’re not on that list, you’re not paying your fee! The ICO encourages all businesses to pay the fee and appear on the register as it sees this as a sign of commitment to processing people’s information professionally.
Anybody can check the data protection public register at any time to so see whether a business is paid up.
How do I pay my ICO fee?
The data protection fee is paid online via the ICO website. For first time payment, you need to complete a form that may take up 15 or 20 minutes. You need to have available information on your company registration number (where relevant), the number of employees in your company, contact details and bank or card details.
You can pay by credit card or by direct debit. If you pay by direct debit, the fee is reduced. We recommend that you do this so that you can’t forget to pay in future years. When you have paid you will appear on the ICO fee payers public register.
Have you received a letter from the ICO?
The ICO has been writing to UK registered businesses asking them if they need to pay their data protection fee. If you haven’t paid your fee and have received a letter from the ICO, don’t ignore it or you could face extensive fines!
Once you have paid your fee, it's time to consider what else you need to do to become compliant with data protection legislation.
Astrid is a secure online platform that makes data protection compliance simple. Developed with small businesses in mind, we provide you all the tools and guidance you need to become and remain compliant with data protection legislation. Find out more about our services. Subscribe now to get your small business compliant and safeguard your reputation, your finances and your business. With prices starting from £225 a year, it’s a small price to pay to protect yourself from potential prosecution and penalty fees.
How GDPR compliant is your small business?
Download our GDPR compliance checklist and find out in minutes!
Privacy & Cookies Policy
Necessary cookies are absolutely essential for the website to function properly. This category only includes cookies that ensures basic functionalities and security features of the website. These cookies do not store any personal information.
Any cookies that may not be particularly necessary for the website to function and is used specifically to collect user personal data via analytics, ads, other embedded contents are termed as non-necessary cookies. It is mandatory to procure user consent prior to running these cookies on your website.