ICO Data Protection Registration Fee: How Much and Who Needs to Pay?
If you’re a company director or small business owner, you may have been surprised recently by a letter from the Information Commissioner’s Office (ICO), requiring you to pay an annual ‘data protection registration fee’.
You may have wondered if the fee request was genuine. Could it be a scam? Do you have to pay? Does the data protection registration fee signal another needless layer of bureaucracy? And what are the consequences if you ignore the letter?
In this blog, we’ll run you quickly through what the data protection registration fee is, how it came about, and who has to pay.
We’ll also answer the question many people ask us: is there a way of getting out of paying it?!
What is the Data Protection Registration fee?
If you’re a data protection enthusiast like us, you’ll know that registration with the ICO and payment of a fee is not new. The Data Protection Act 1998 (DPA) required all ‘data controllers’ processing personal information to register with the ICO, unless they were exempt. Trouble is, no-one really bothered.
Enter GDPR. This new legal framework was introduced in 2018 to tackle the growing problem of data privacy breaches.
GDPR brought the 1998 DPA into the 21st Century and now gives us greater protection against the spammers and scammers who can make life a misery in a world where our personal data is whizzing around the globe in a way we couldn’t have imagined a few years ago.
GDPR contains numerous rules on the processing of our personal data: how it is held, stored and shared, and what companies’ responsibilities are in terms of the accuracy of the data, how long they can hold it and for what purpose.
It costs money for the ICO to administer and enforce the new GDPR régime, and someone has to pay for it! Contrary to popular belief, any fines the ICO enforce on companies for breaches of the legislation goes straight to the Treasury, rather than funding their work. Hence the new fee was included in the DPA2018, and the ICO’s policy to take a more active role in enforcing it.
Individuals and organisations processing personal data must now register and pay the fee each year, unless they’re exempt.
So if you’re a director of a limited company, a partner in a partnership, or a sole trader running your own small business, you’d do well to keep an eye out for your annual registration fee reminder letter from the ICO.
It’s easy to register online, and only takes a few minutes.
So who is the ICO?
The ICO describes itself as ‘the UK’s independent authority set up to uphold information rights in the public interest, promoting openness by public bodies and data privacy for individuals’.
It’s one of those bodies often written off - wrongly in our view - as the by-product of a faceless bureaucracy: a quango, yet another ineffective regulator, a back-door source of income for the government…
But the ICO plays a crucial role in holding businesses to account, and encouraging them to use personal data responsibly.
Far from being all-bark-no-bite, the office has the power to issue significant fines.
And it exercises the power regularly, recently imposing a hefty £200,000 penalty on We Buy Any Car Ltd. The vehicle valuation business had sent out millions of unlawful marketing emails and SMS messages to individuals, and paid the penalty for contravening the Privacy and Electronic Communications Regulation (PECR).
How much is the registration fee?
Your annual registration fee will depend on the size of your business and its annual turnover. There are three tiers.
Tier 1: Micro organisations. £40 (£35 by direct debit).
- maximum turnover £632,000, or
- no more than 10 members of staff.
Tier 2: Small and medium organisations. £60 (£55 by direct debit).
- maximum turnover £36 million, or
- no more than 250 members of staff.
Tier 3: Large organisations. £2,900 (£2,895 by direct debit).
- businesses not meeting the criteria for tier 1 or 2.
Which tier am I in?
- 10 members of staff or fewer - Tier 1
- Turnover of £632,000 or less in the last financial year - Tier 1
- 11-250 members of staff - Tier 2
- Turnover of over £36 million in the last financial year - Tier 3.
Find out which tier your business is in.
Two other things to remember:
- If you’re a charity or small occupational pension scheme, you’re in the lowest tier regardless of your size or turnover.
- A ‘member of staff’ means any employee, worker, office holder or partner. The number of members of staff is the average number working for you during your financial year. A part-time staff member counts as one member of staff.
How do I know if I need to pay the fee?
The big questions in understanding whether you need to pay the registration fee or not are:
- is your organisation a ‘data controller’? and
- does your organisation ‘process’ personal data?
Given that even a customer’s email address counts as personal data, not many businesses will escape the processing definition, even those using the simplest of computer systems to communicate with your customers. (If your organisation doesn’t use a computer to process its data, you don’t have to pay the data protection fee – but there aren’t too many businesses like that around any more!)
‘Processing’ personal data is very broad. It covers most things you’re likely to do with the information coming in and out of your business, including:
If your business merely processes data on behalf of another organisation, for example a client, it doesn’t have to pay the fee. This is because only ‘data controllers’ are required to pay the fee – people or organisations who decide what data to process, and why.
Try out the ICO’s registration self-assessment checker to find out if you need to pay a data protection fee.
Who is exempt?
If you process personal data only for one or more of these reasons, you won’t have to pay the data protection fee:
- Staff administration
- Advertising, marketing and public relations
- Accounts and records
- Not-for-profit purposes
- Personal, family or household affairs
- Maintaining a public register
- Judicial functions.
If your processing doesn’t go beyond your exempt reason(s), then you’ll be safe not paying the fee. But you must still comply with the eight data protection principles of good practice.
And if you stray into any non-exempt processing at any time during the year, you run the risk of being fined for non-payment. So it’s worth considering a voluntary registration and payment for peace of mind.
Is the ICO fee genuine?
The data protection registration fee is no scam.
But, as with any scheme, there are scammers out there who will welcome the opportunity to turn something honest into an opportunity to part you from your cash. So do be vigilant!
The ICO is alive to the risks. It has issued a warning to businesses to be aware of scams in which criminals attempt to imitate an official request for payment of the fee.
If you receive a letter, text message, email or telephone call, which appears to be from the ICO, the official advice is to search ‘ICO fee’ on your usual search engine.
By following the top results to website links which begin with https://ico.org.uk you’ll reach the official ICO website where you can check if you need to make a payment, and pay your fee knowing it’s going to the right place.
Is registration a legal requirement?
The Data Protection Act 2018 makes it a legal requirement for non-exempt data controllers to register and pay the registration fee. For most businesses, the cost of registration isn’t going to worry the CFO too much, so it makes sense to comply.
What is the penalty for not registering or paying the fee?
The penalty for not registering or paying the fee is a fine of up to £4,000 - and potential public shaming on the ICO website.
Are charities exempt from the ICO fee?
Small not-for-profit organisations can be exempt from the fee.
The ICO gives examples of small clubs, voluntary organisations and some charities, but warns that the exemption is narrow: it only applies to processing relating to membership, support for not-for-profit bodies and associations, or membership activities.
If a charity has any commercial operations, like merchandising or retail outlets, it’s unlikely to be exempt and should consider legal advice and/or voluntary registration.
Does a dormant company need to pay the fee?
A company that isn’t trading is unlikely to be processing personal data. It seems unfair for it to have to register or pay the fee. But with the risk of a fine for failure to pay, it may be worth considering a voluntary registration.
For more information on the registration process and advice on whether you need to pay the registration fee, do get in touch. And have a look at our GDPR training to help you stay on top of your data privacy duties.