We often get asked by clients what is the ICO Data Protection Fee and if they must pay. Given the Information Commissioner’s Office (ICO) push to engage all registered companies to comply with the Data Protection Act 2018 and the General Data Protection Regulation (GDPR), it’s an unavoidable issue.
In general, any business handling personal information as a data controller is required to pay a data protection fee to the ICO unless there’s an exemption. So if you’re a sole trader, small company, or SME managing any kind of personal data, the ICO may soon be knocking on your door if you’ve not received any notification.
The UK GDPR provides a comprehensive list of definitions concerning personal data, including name, identification number, location data, and an online identifier. Paying the fee will show your company’s commitment to data protection, and you’ll avoid paying a huge penalty. So far, since May 2018, over 600,000 organisations have registered to pay, while 340 penalties were imposed between July and September 2019.
Why Have I Received an ICO Letter About the Data Protection Fee?
The ICO has been widely campaigning since December 2019 to raise awareness with companies of their legal duty to uphold data protection laws. If you’ve received a letter, then it means you are eligible to pay the data protection fee and are not registered with them. Due to the increase in cases of phishing and scams, you can confirm the authenticity of the letter by typing in “ICO fee” on your browser to get to the ICO page.
ICO Data Protection Fee Example Letter
In other instances, companies can be contacted via email, phone, or text message. The ICO also encourages you to access its website to learn more about other GDPR requirements.
Do I Need to Pay the Data Protection Fee?
You need to pay the Data Protection fee to ICO as it’s a legal obligation, that is, if you’re not exempt. Second, the ICO is dedicated to its mandate to implement the regulations, so it would be remiss to ignore their alerts. Third, the fees collected support ICO’s main activities, such as handling data breaches and complaints and providing relevant resources for organisations.
In addition, it’s worthwhile to follow through to avoid paying penalties. It’s also a way to show your business positively regarding data protection, as ICO publishes the names of organisations that pay the fee.
ICO provides a self-assessment tool to confirm if you need to pay the fee or if you’re exempt. Aside from that, if you are storing personal information for business purposes on an electronic device or using CCTV for security purposes, you automatically have to pay the fee.
When the GDPR came into effect on 25th May 2018, it gave the public more rights over their information. Consumers can ask the company for information it has on them without any barriers.
As a business owner in the market today, storing customer data can bring complexities. As a result, your customers need assurance that you will safeguard their sensitive information – and in the event of a data breach, you need to follow strict procedures.
Who Is Exempt?
Not every organisation is expected to pay the fee, as there are some exceptions and exemptions. Generally, you are exempted from paying if the personal data you’re processing is for one of the following business reasons:
- Advertising, PR, and marketing
- Administration of employees
- Judicial functions
- Individual, family, or household matters
- Non-profit purposes
- Maintaining a public register
- Maintaining accounts and records
What Happens if I Don’t Pay the ICO Fee?
As highlighted before, the ICO imposes a hefty penalty on those that fail to register and pay the fee. You may have to pay a fine of up to £4,350, sent directly to the government. So it’s wise to take the initiative to determine if you need to pay the fee and when you should renew it.
How Much Are the ICO Data Protection Fees?
The fee charged is based on three tiers which depend on:
- Size of organisation
- Annual turnover
- Type of organisation—charities, public authorities, or a small occupational pension scheme
Most companies pay an annual fee of £40 or £60. As for larger organisations, they pay £2,900 per year. The payment is always VAT:nil.
The three tiers of the fee are:
- Tier 1 – Micro Organisations
- The fee is £40 with a maximum turnover of £632,000 in a financial year of 10 or fewer employees.
- Tier 2 – Small and Medium Organisations
- The fee is £60 with a maximum turnover of £36 million in a financial year of 250 or fewer staff members.
- Tier 3- Large Organisations
- The fee is £2,900 if the organisation does not meet tier 1 or 2 requirements.
According to the ICO, charities and small occupational pension schemes pay £40 regardless of size or turnover. For public authorities, their fee will only be dependent on the number of staff. Make sure to communicate with ICO about your business situation to avoid being classed under tier 3 and having to pay the steep £2,900 fee.
How Do I Pay the Data Protection Fee?
It’s a simple process and doesn’t take much of your time.
What to do:
- Visit the ICO website using this link, click on ‘first time payment’ if you’ve never registered before, which should take about 15 minutes. Click on ‘renew’ if you’re already registered.
- If you choose to pay the fee using direct debit, you will get a discount of £5.
- If you’re exempt from paying the fee, visit the ICO Exemptions page to notify the ICO why you’re to be exempted.
Conclusion
Data has always been a critical asset to a company, but how businesses capture, store and process this data is now tightly regulated.
Every business in the UK will have to uphold their data protection duties under the current ICO laws. If you’re a newly registered business, the chances are the ICO will be writing to you to ensure you’re signed up.
Hopefully, our article highlights everything you need to know, but if you want bespoke advice about your specific business case, we’d advise reaching out to the ICO directly. However, if you need support with any areas of accounting, from VAT returns to bookkeeping, please don’t hesitate to get in touch.