Data protection fee: how much must data controllers pay to register with the ICO?

This blog has been updated to reflect industry updates. Originally published 20 June 2018.

If you’re classified as a data controller under the GDPR (General Data Protection Regulation), you might have overlooked an important compliance obligation: since 25 May 2018, the Data Protection (Charges and Information) Regulations 2018 have required every organisation or sole trader that controls the processing of personal data to register with the ICO (Information Commissioner’s Office) – unless all the processing they carry out is exempt.

Their details are then published in a publicly searchable register of data controllers.

You can use the ICO’s Registration self-assessment tool to find out if you need to register.

How much does it cost?

If you are obliged to register as a data controller, you must pay an annual fee. The amount depends on your size and turnover. There are three different tiers of fees:

  • Tier 1

Micro organisations (those with a maximum turnover of £632,000 for the financial year or no more than 10 members of staff) must pay £40.

  • Tier 2

Small and medium-sized organisations (those with a maximum turnover of £36 million for the financial year or no more than 250 members of staff) must pay £60.

  • Tier 3

Large organisations (those that do not meet the criteria for tiers 1 or 2) must pay £2,900.

Charities, small occupational pension schemes and organisations that have been in existence for less than one month only pay £40, irrespective of their size and annual turnover.

Public authorities should categorise themselves according to staff numbers only and do not need to take account of turnover.

If you pay by direct debit you will receive a £5 discount.

You can use the ICO’s Registration self-assessment tool to find out if you need to register.

Who doesn’t have to pay?

You don’t need to pay a fee if you process personal information without an automated system or process personal data for one or more of the following purposes:

  • Staff administration.
  • Advertising, marketing and public relations.
  • Accounts and records.
  • Not-for-profit purposes.
  • Personal, family or household affairs.
  • Maintaining a public register.
  • Judicial functions.

public consultation on exemptions will close at 4 pm on 1 August 2018.

Remember that you must still fulfil your data protection obligations under the GDPR and the DPA 2018 (Data Protection Act 2018).

What are the fees used for?

The fees are passed directly to the government and are used to fund the ICO’s data protection work.

When do you need to pay?

  • If you are already registered with the ICO (i.e. you notified the ICO under the Data Protection Act 1998 (DPA 1998)) then you don’t need to do anything until your current annual registration expires. You then have 21 days to make your payment.
  • If you were a data controller before 25 May 2018 (i.e. under the DPA 1998) but you hadn’t registered with/notified the ICO then you had 21 days from 25 May to make your payment. In other words, you should have paid by now.
  • If you became a data controller after 25 May 2018 then you have 21 days from the day you became a data controller to make your payment.

What happens if you don’t register?

Under the DPA 1998, failing to register was a criminal offence. This is no longer the case, although the ICO does have the power to enforce the Data Protection (Charges and Information) Regulations 2018 and serve monetary penalties on those that do not pay their data protection fee.

The maximum penalty is a fine of £4,350 (150% of the tier 3 fee).

What information do you need to provide?

When you pay your fee you also need to provide the ICO with:

  • Your name and address (for registered companies this should be your registered address; for others it should be your principal place of business. If this is a domestic address you can provide an alternative address if you wish).
  • Your number of staff.
  • Your turnover for the previous financial year.
  • Your other trading names (if you have any).
  • The name and contact details of the person completing the registration process.
  • The name and contact details of someone in your organisation who can be contacted for regulatory purposes.
  • The name and contact details of your data protection officer (DPO), if you must have one under the GDPR.

What information is published in the register?

The following information will be published in a publicly searchable register:

  • Your name and address.
  • The data protection registration number issued by the ICO.
  • The level of fee you paid (tier 1, tier 2 or tier 3).
  • The date the fee was paid and when it is due to expire.
  • Your other trading names (if you have any).
  • Contact details for your DPO, if you have told the ICO you have one.
  • Your DPO’s name, if you have told the ICO you have one and if they consent to this.

Want to learn more about data protection requirements in the UK?

Anyone who’s interested in learning more about data protection registration and other compliance requirements that you may have neglected should consider enrolling on our Data Protection Act 2018 Distance Learning training course.

The DPA (Data Protection Act) incorporates the GDPR into UK law, and fills in sections of the Regulation that are left to individual member states to interpret and implement.

Our DPA distance learning training course covers everything you need to know, helping you understand exactly what you must do to meet your compliance requirements.

Find out more >>

About The Author

Neil Ford

Neil has worked at IT Governance since 2013. He writes about all IT governance, risk management and compliance subjects, and can often be found talking about them on podcasts and videos.