ICO sends notices to 34 organisations for failure to pay the new data protection fee

08 October 2018

  • Failure to pay fee to ICO is now a civil offence

  • If you process data and are not exempt you must pay a fee

The ICO (Information Commissioners Office) revealed in a statement that it had sent notices of intended enforcement to 34 organisations who will be liable to pay a fine of up to £4,000 unless they pay the required fees. 

On the 25th May 2018, the Data Protection (Charges and Information) Regulations came into force, changing the way the ICO raise their funds to carry out data protection work. The data protection fee replaces the requirement to notify.

Under the General Data Protection Regulations 2018, organisations that are a data controller must pay the ICO a data protection fee unless they are exempt.

An organisation will be exempt if it processes data only for one (or more) of the following purposes;

  • Staff administration
  • Advertising, marketing and public relations
  • Accounts and records
  • Not-for-profit purposes
  • Personal, family or household affairs
  • Maintaining a public register
  • Judicial functions
  • Processing personal information without an automated system such as a computer

The ICO has produced an online questionnaire that you can use to check if you are liable to pay the fee – follow this link to use the questionnaire.

There are different tiers of fee and controllers are expected to pay between £40 and £2900. The tier you fall in into depends on:

  • Your annual turnover
  • How many staff you have
  • Whether you are a charity
  • Whether you are a small occupational pension scheme
  • Whether you are a public authority

Aspire Comment

It is extremely important to review whether your business needs to pay a data protection fee for two reasons. Firstly, you do not want to face fines for non-compliance. Secondly, the ICO may suspect there are other areas of concern and open up an investigation into your General Data Protection Regulation practices.

See the ICO guidance here.