GDPR – Don’t forget to pay your Data Protection Fee to ICO

3rd April 2019

There was a flurry of activity last year as UK organisations took steps to comply with the General Data Protection Regulation (GDPR) by 25 May 2018.  Although the GDPR is a piece of European legislation it will remain in force whatever shape Brexit takes.

So organisations will need to comply with it (as well as the Data Protection Act 2018) and also the additional rules in the UK (Privacy and Electronic Communications Regulations (PECR)) regarding direct marketing communications (marketing phone calls, texts and e-mails).  Compliance with the law here should have been part of an organisation’s preparations for the GDPR as PECR and the GDPR work together.

Now the dust has settled on the GDPR there have been no massive fines and stringent regulatory action as yet in the UK, although it is fair to say that a number of very serious breaches of the GDPR are being investigated with regulatory action awaited.  Nevertheless the Information Commissioner’s Office (ICO) continues to be active in fining those organisations who suffer personal data breaches in breach of the law and/or who send “spam” e-mails, or other unsolicited marketing communications, for example.  And it has also been very active in taking action against businesses who fail to pay the required data protection fee under the GDPR.  This can catch organisations unaware.  The ICO has been targeting non fee payers across a range of business sectors.

So unless your data processing is very limited in scope and you are exempt (and if you use CCTV on your business premises for crime prevention, for example, you won’t be exempt) then you will need to pay an annual data protection fee to ICO.   You can follow a simple online “self-assessment test” on the ICO website to double check if you are exempt or not, and ICO’s test will also tell you what fee to pay as well.  The fee bands are as follows:

Tier 1 – micro organisations

You have a maximum turnover of £632,000 for your financial year or no more than 10 members of staff. The fee for tier 1 is £40.

Tier 2 – small and medium organisations

You have a maximum turnover of £36 million for your financial year or no more than 250 members of staff. The fee for tier 2 is £60.

Tier 3 – large organisations

If you do not meet the criteria for tier 1 or tier 2, you have to pay the tier 3 fee of £2,900. ICO regard all data controllers as eligible to pay a fee in tier 3 unless and until they tell ICO otherwise.

ICO has been sending out reminders to pay the fee if you were registered and paid a fee to ICO under the previous law (Data Protection Act 1998) – if you get one you must take action or face enforcement action/a fine.  Even if you were not registered under the previous law you should nevertheless still check as soon as possible via the ICO website whether you need to pay the fee, as if you are not exempt and don’t pay the fee the ICO’s sanctions include a monetary penalty.   In 2018 ICO issued 103 monetary penalties for non payment of the data protection fee, with penalties imposed ranging from £400 to £4,000.  So it is clearly much better to pay the fee if you need to.  Paying the fee also means you are on the public register of data protection fee payers  – this gives comfort to those doing business with you that you take compliance with the GDPR seriously – something ICO has highlighted in a recent blog.