Do you need to pay the Data Protection Fee to the ICO?
We are increasingly being asked this by Clients following the introduction of the GDPR and Data Protection Act 2018. The general position is that if you are processing personal information as a data controller then you need to pay the data protection fee to the ICO.
The amount that you are required to pay will depend on a number of factors such as your number of staff and annual turnover. For most organisations the fee is either £40 or £60. The highest level of fee is £2,900.
The ICO have produced a self assessment tool which will assist you in establishing whether you need to pay a fee: https://ico.org.uk/for-organisations/data-protection-fee/self-assessment/
There are exemptions to the requirement to pay a fee though. There is currently a live Government consultation on who should be exempt from paying the fees. The consultation closes on the 1st August after which any changes will be communicated.
The general current position regarding exemptions is that you don’t need to pay a fee if you are only processing personal data for one of the following ‘core business’ reasons – for the purpose of employee administration, advertising and maintaining records (there are more than this, but these are the most commonly used). This may apply to a small business that is only carrying out processing activities in order to carry out its primary business. If you are controlling and processing personal data for other reasons then it is likely that you will need to pay the fee.
Once registered, certain limited information will be published by the ICO. The maximum penalty for not paying the fee when you should have is £4,350, therefore it is definitely worth carrying out the above assessment to work out if you should be paying the fee, or whether your fee needs to be renewed soon.
The ICO guide to the Data Protection Fee can be found here: https://ico.org.uk/media/for-organisations/documents/2259094/dp-fee-guide-for-controllers-20180601.pdf