Understanding the ICO Data Protection Fee

What is the ICO?

The ICO is an independent organisation set up in 1984 to uphold information rights in the public interest, focusing on how businesses process and store personal data. The ICO covers multiple pieces of legislation including the Data Protection Act 2018 following the introduction of the General Data Protection Regulation (GDPR). The fees paid to the ICO contribute to the organisation’s work to advise and guide individuals and businesses about how to comply with legal requirements.

What do I need to do?

Any business that processes personal data needs to register with the ICO, and pay the appropriate fee that corresponds to their business structure on an annual basis. The annual fee payable is broken down into 3 separate tiers, depending on the size of the company and their annual turnover.

Tier 1 – Micro Organisations – £40: This is for organisations with no more than 10 members of staff or a maximum turnover of £632,000.

Tier 2 – Small and Medium Organisations – £60: This is for organisations with no more than 250 members of staff or whose annual turnover does not exceed £36 million.

Tier 3 – Large Organisations – £2900: If your organisation does not fall into the criteria for tier 1 or tier 2, then you must pay the fee for tier 3.

Any business that uses CCTV for the purpose of crime prevention is required to pay the annual data protection fee, regardless of any other aspects of their business.

Are there exemptions to the ICO fee?

According to the ICO website, you will be exempt from paying the fee if you are processing personal data for one or more of the following purposes:

Staff administration

Advertising, marketing and public relations

Accounts and records

Not-for-profit purposes (the exemption is narrow and further conditions do apply)

Personal, family and household affairs

Maintaining a public register

Judicial functions

Processing personal information without an automated system such as a computer, and;

Since 1 April 2019, members of the House of Lords, elected representatives and prospective representatives are also exempt.

If you are unsure whether your company is exempt from paying the data protection fee, the ICO website features a helpful self-assessment tool to assess your status.

What happens if my company does not pay the ICO fee?

The ICO will fine companies that do not pay the ICO data protection fee (where they are not exempt), or for GDPR breaches that the company was responsible for. The current fine for failing to pay the ICO fee is up to £4000, which is a staggering 100 times higher than the tier 1 payment, which micro businesses, the majority of businesses in the UK, would need to pay.

In the past sizeable fines have been handed out to companies who have been found to have breached GDPR guidelines.

In 2020, British Airways was fined after website users were directed to a fraudulent website. The fine was lowered to £20 million when the economic impact of Covid-19 was taken into account.

Marriott International was fined £18.4 million in 2020 due to a data hack from 2014, which wasn’t discovered until 4 years later, in which 300 million customers personal details were stolen.

By not paying the data protection fee, you are not only risking a large penalty, but also the reputation of your company. The ICO has a public list of all the companies that have paid the fee and joined their register. Additionally, they have a list of penalty notices issued to organisations that have not paid. Potential clients could see this as a reluctance to take protecting their personal information seriously, and this could impact on your business in the long run.

Running a business is stressful, expensive and time consuming. However, unless you fit the exemption criteria, paying the ICO fee is just another expense in the life of a business owner. Do not ignore any letters from the ICO or you could face problems larger and more costly than the data protection fee.