Does your organisation need to pay the ICO data protection fee? The short answer is yes, if you are processing personal information as a data controller unless you are exempt. Our guide explains all you need to know about the ICO data protection fee for UK businesses.
What is the ICO data protection fee?
The ICO data protection fee is a requirement for data controllers in the UK to pay a fee to the Information Commissioner’s Office (ICO) – unless exempt – under The Data Protection (Charges and Information) Regulations 2018 S.2(2).
Prior to this, it was a requirement under European law for a data controller (unless exempt and subject to the laws of individual member states) to make a notification to the relevant supervisory authority (the ICO in the UK) before processing sensitive personal data. When the General Data Protection Regulation (GDPR) came into effect, it removed the obligation for notification under European law.
As notification fees had previously funded much of the ICO’s data protection work, the abolition of these fees would considerably impact the ICO budget. Consequently, domestic fee legislation was enacted to address the shortfall.
Who has to pay the ICO data protection fee?
To find out if you need to pay the ICO data protection fee you should use the ICO self-assessment checker. There, you have to answer several questions, such as if you process personal information at all, and if so, if you process it by electronic means. Also, you must answer whether your organisation is responsible for the processing, the purposes of your processing and if you are a non-profit organisation. The questions only pop up if they are still necessary to determine if you are exempt or not.
Additionally, you have to declare whether you use CCTV for the purpose of crime prevention. As CCTV footage holds a high volume of personal data and persons can be easily identified, such a processing should be well-considered and guided by the ICO’s guidelines. If you use CCTV, you are already required to pay the fee. This results from the risks and the possible consultation of the ICO on this (read our detailed guide to legally compliant CCTV).
At the end of the assessment, you will receive your result, i.e. if you have to pay the fee of are exempt. If you need to pay the fee, you need to register with the ICO and then can make your payment.
How much is the fee for the ICO?
The amount that you are required to pay depends on your organisation’s size and annual turnover. For most the fee is £40 or £60 per year with a maximum fee of £2,900. This fee is payable every year. If you fail to do so, the ICO can issue a monetary penalty of up to £4,000.
If you are exempt, you still may need to let the ICO know of your exemption. If the ICO contacted you by naming your Companies House Number, you need to contact the ICO regarding your exemption. If, however, you received a letter about renewing your registration but are exempt, you would only need to cancel your registration. In case of no letter, there is no need for you to contact the ICO.
Exemptions of the obligation to pay the fee
Generally speaking, you don’t need to pay a fee if you are only processing personal data for one of the following purposes:
- Staff administration
- Advertising and marketing
- Maintaining accounts and records
Other less common reasons for exemptions are processing personal data that is for personal or household affairs, judicial functions, maintaining a public register, not-for profit and manual (i.e. non-automated) processing.
If you are controlling and processing personal data for other purposes, it is likely that you will need to pay the fee. To avoid contact from the ICO you should either pay the fee or complete this form explaining why your organisation is exempt.
How to pay the ICO data protection fee
To pay the fee you need to register online.
As well as publishing the names of all fee-paying organisations, the ICO will name organisations that it needs to fine. The maximum fine for non-payment is £4,000 on top of the fee you are required to pay. Therefore, to avoid penalties and a bad reputation and to ensure that you comply with your obligations under the DPA 2018, we recommend that you self-assess using the link above.
If you are not sure whether you have to pay the fee or if you have other data protection related questions, don’t hesitate to ask us.