Many companies are at risk of receiving hefty fines and attracting bad publicity by failing to register and pay the data protection fee under the Data Protection (Charges and Information) Regulations 2018 (“Regulations”). Registration and payment of the fee to the Information Commissioner’s Office (ICO) is a relatively straightforward step. You can do this online and it only takes 15 minutes to complete the process. On the other hand, failure to pay the fee is publicly visible – because firms which have registered are on the searchable register on the Information Commissioner’s website which contains the name and address of data controllers and the payment tier under which they fall – and could also betray a failure to comply with Data Protection requirements more generally.
The Regulations require every data controller who is processing personal information to pay the data protection fee to the ICO, subject to limited exemptions. Most organisations will handle personal data as a data controller in one form or another, and therefore the requirement to register applies in relation to most UK organisations. Once registered, controllers are required to renew their registration annually. Failure to pay where required to do so can attract a fine up to £4,350.
There is no need to pay the data protection fee if you only handle personal data for one or more of the following reasons:
- staff administration
- advertising, marketing and PR
- accounts and record keeping
- not-for-profit purposes
- personal, family or household affairs
- maintaining a public register
- judicial functions
- processing personal information without an automated system such as a computer
So long as processing remains strictly within these limits, then there is no need to pay the fee. However, even if you are exempt from paying the fee, you must still comply with the other requirements under data protection law more generally, and it may be advisable to register voluntarily for public transparency and in case any of your processing should extend beyond the scope of the exemptions (so as to avoid receiving a fine).
Payment of the fee can be made online here, and the amount to be paid depends on where your business sits on the three-tier scale:
- £40 fee – micro organisations, with a maximum turnover of £632,000 and no more than 10 members of staff
- £60 fee – SMEs, with a maximum turnover of £26 million and no more than 250 members of staff
- £2,900 fee – large organisations, with turnover in excess of £36 million and/or more than 250 members of staff.
There are some exceptions to the tier system set out above under the Regulations, namely:
- when determining the fee payable for public authorities, only the number of members of staff is relevant
- charities that are not otherwise subject to an exemption will only be liable to pay the tier 1 fee, regardless of size or turnover
- small occupational pension schemes that are not otherwise subject to an exemption will only be liable to pay the tier 1 fee, regardless of size or turnover.
If you do not inform the ICO of your particular circumstances, the default position is that you belong in tier 3 and have to pay the highest data protection fee.
The ICO does not seek to verify the contents of the information provided when payment is made and cannot refuse to accept payment. However, in the event of any sort of regulatory action following, for example, a complaint about data protection, the ICO may check that the information provided is accurate and take enforcement action if it is found to be inaccurate or incomplete.
The fee is payable annually and you get a £5 reduction of the fee if you chose to pay by Direct Debit. There is no such thing as a parent company registration, which means that each data controller within a corporate group must register. The data protection public register can be searched on the ICO website here.
Contact us if you need any assistance with paying your data protection fee or if you need advice in respect of your Data Protection obligations.