The data protection fee applies to all organisations (including sole traders) who process personal information, unless exemptions apply.
The fee, paid to the ICO, ranges from £40 to £2,900 and is in accordance with the Data Protection (Charges and Information) Regulations 2018, which supports the Data Protection Act (2018) and the UK General Data Protection Regulations (GDPR).
Processing personal data can mean anything from collecting, storing, using, sharing or any other use of personal information.
The costs, which are decided by the Government, are arranged in a tier structure depending on several factors. The tier each organisation falls into, and therefore the amount due in the data protection fee, depends on the number of staff, annual turnover and the type of business.
Tier 1 – micro-organisations
Maximum turnover: £632,000
Members of staff: No more than 10
Data protection fee: £40
Tier 2 – small and medium organisations
Maximum turnover: £36 million
Members of staff: No more than 250
Data protection fee: £60
Tier 3 – large organisations
Any organisation that does not fit into tier 1 or tier 2. All tier 3 organisations are required to pay the data protection fee unless discussed with the ICO.
Data protection fee: £2,900
*Public authorities only need to apply the staff numbers when calculating the data protection fee, turnover is not relevant. Charities and small occupational pension schemes, some of whom may already receive an exemption, will only be required to pay the tier 1 fee regardless of staff numbers and turnover.
The fees cover a 12 month period and can be set up to automatically renew on the ICO website. Some exemptions apply, such as what the purpose is for processing the data, however all organisations must register in order to claim their exemption.
To find out whether the exemptions apply, or how much the data protection fee may cost, take the ICO’s self-assessment and register on their website.
It is recommended that organisations regularly review and re-assess, in order to clarify that their set up is still within the same tier, or within the exemption. Businesses will be classed as breaking the law if, as a controller processing personal data, they do not pay the data protection fee or do not pay the correct data protection fee. The maximum penalty is a £4,350 fine, which is 150% of the tier 3 fee.
The data protection fee is often the responsibility of the information governance team, or the Data Protection Officer (DPO). Many organisations choose to outsource this role, allowing them the peace of mind that data protection compliance is covered by an experted team without requiring additional members of staff.
Our Managed Service support option means organisations can hand the responsibilities of the Data Protection Officer and other roles to our experted team, who have held the role many times previously and many of whom have played a key part in developing such roles themselves. Our support options are variable to allow you to choose how much support you may require, whether that is a minimal and occasional guidance when required or to cover all elements of responsibility. It is a hugely popular service and feedback received shows that our clients value the peace of mind in knowing experted support is on hand whenever it is needed.
