Skip to main content
Home

Fixed penalties for failure to pay the data protection charge

  1. The Information Commissioner is the regulator of data protection and other information rights.
  2. Regulation 2 of the Data Protection (Charges and Information) Regulations 2018 (as amended) (the Regulations) requires a data controller to pay an annual charge to the Information Commissioner (unless their processing is exempt). It also requires the data controller to supply the Information Commissioner with specified information so that the Commissioner an determine the relevant charge, based on turnover and staff numbers.
  3. The level of the charge (the data protection fee) is set by Parliament to reflect what it believes is appropriate based on the risks posed by the processing of personal data by controllers. There are three different tiers of data protection fees between £52 and £3763.
  4. A breach of the Regulations is a matter falling under S149(5) of the Data Protection Act 2018 (DPA 2018). Section 155(1) of the DPA provides that the Commissioner may serve a Penalty Notice on a person who breaches their duties under the Regulations.
  5. The Commissioner has produced and published this document in performance of the statutory obligation set out in section 158 DPA 2018 to publish a document specifying the amount of the fixed penalty for a failure to pay the data protection charge in accordance with the Regulations.
  6. This document updates and replaces the sections about Fixed Penalties in the Regulatory Action Policy published in November 2018. That policy previously set out the fixed penalty payable by a controller for any type of failure to pay a data protection charge in accordance with the Regulations.

Fixed penalties 

  1. For the purposes of section 155 of the DPA, the fixed penalty payable by a controller for any type of failure to pay a data protection fee in accordance with the Data Protection (Charges and Information) Regulations 2018, are: 

    (a) tier 1 (micro-organisations), is £400; 
    (b) tier 2 (small and medium organisations), is £600; 
    (c) tier 3 (large organisations), is £4,000.
  2. We reserve the right to increase this amount up to a statutory maximum of £4,350. for data controllers in respect of a failure to provide the ICO with sufficient information to determine the appropriate fee/exemption, depending on aggravating factors (for example, a failure to engage or co-operate with the ICO).
  3. Fixed penalties will be imposed in accordance with the law and with this document.