What is the ICO?

The ICO is the UK’s independent authority set up to uphold information rights in the public interest, promoting openness by public bodies and data privacy for individuals.

This is a pivotal time for data protection and privacy and the ICO’s work as the UK’s information rights regulator has never been more relevant.

Almost everything we do creates a digital data trail – shopping online, posting on social media, banking on the go or scanning a travel card. People’s personal data has never been more valuable and we should be able to trust that organisations will treat it fairly and look after it securely.

Whether we are investigating a cyber-attack on a multi-national company or the loss of patient data from a local hospital, the ICO will take action on behalf of the UK public.

The data protection laws we regulate have undergone recent reform, our battle to stop the scourge of nuisance calls is gathering momentum and our role in upholding the Freedom of Information Act is vital in ensuring the public’s right to know.

What is the data protection fee?

Under the Data Protection Act 2018 organisations processing personal information are required to pay a data protection fee unless they are exempt.

You need to renew your data protection fee each year, or tell the ICO if your registration is no longer required. If you fail to do so, the ICO can issue a monetary penalty of up to £4,000 on top of the fee you are required to pay.

It is the law to pay the fee, which funds the ICO’s work, but it also makes good business sense because whether or not you have paid could have an impact on your reputation.

Businesses have been paying some form of data protection fee for over 20 years. But how a typical business processes personal data today would be unrecognisable 20 years ago and data is extremely valuable. Perhaps unsurprisingly, more sole traders and organisations have fulfilled their legal requirement to register with the ICO than ever before. At the beginning of 2020, our register of data controllers represented more than 635k companies and it is growing by the day.

The ICO is responsible for collecting the fee and we regularly promote the need to pay it. When your fee payment is in date, this is a positive mark against your company’s name and it would avoid us having to contact you regarding the data protection fee.

I’ve received a letter about the data protection fee. Why did you write to me?

In November 2019, we launched a campaign to contact all registered companies in the UK reminding them of their legal responsibility to pay a data protection fee. The move marks the start of an extensive programme to make sure the data protection fee is paid by all those who need to pay it.

The letters we are sending to organisations is to help them comply with the law by reminding them to check if they need to pay a fee.

Some company data has to be made publicly available by law such as data published at gov.uk. For information about what the ICO does with personal data, please see our privacy notice at ico.org.uk/privacy-notice.

How do I know if I need to pay the data protection fee and register with the ICO?

You can quickly and easily find out if your organisation needs to pay the fee by using our self-assessment checker.

Which sorts of companies are likely to need to pay?

The fee is payable by a range of companies from sole traders and SMEs through to large organisations, depending on your practices. The amount payable varies depending on the size of the organisation.

Any company using CCTV for crime prevention purposes is required to pay an annual data protection fee to the ICO, regardless of other aspects of your business and operations. This means that you do not need to take our self-assessment checklist if you use CCTV for crime prevention purposes, because the answer to whether or not you have to pay will always be ‘yes’. You can pay now by visiting www.ico.org.uk/fee.

If you hold personal information for business purposes on any electronic device, you may need to pay an annual fee and it is your responsibility to find out.

What should I do if I’m exempt from paying the fee?

There are not many situations where you would be exempt from paying a fee, but you can check at ico.org.uk/fee-checker.

If you have received a letter from us about your data protection fee, and if our online fee checker says you do not need to pay, please let us know by filling in the short form at ico.org.uk/no-fee, and we will update our records. There is no need to call us as well as completing the form.

What do I get for paying the fee?

It is the law to pay the fee, which funds the ICO’s work, but it also makes good business sense because whether or not you have paid could have an impact on your reputation.

Being listed as a fee payer on the ICO’s website sends a strong message to all those seeking to do business with you: it shows that you are aware of your data protection obligations, and that you run a tight ship.

Members of the public and other companies will feel reassured to see your company’s name on this list because it means you value their information. They are more likely to put their trust in you than in another company who is missing from this list.

How is the money from fees used?

Paying the data protection fee is important because it funds the ICO’s work providing advice and guidance about how to comply with the law – such as our online guidance, our telephone helpline, and our digital toolkits.

What happens if I avoid paying the fee?

If you need to pay and do not pay, you could be fined up to £4,000. Between July and December 2019, we issued 554 monetary penalties to organisations that have not paid the data protection fee.

As well as naming most organisations we need to fine, we also publish the names of all fee-paying organisations. This helps them make it clear to their customers, clients and suppliers that they are aware of their legal obligations when processing personal information.

We need to make sure that the data protection fee is paid by all those who need to pay it. We will soon be contacting organisations that did not make contact with us before the deadline outlined on their letter.

How much is the fine if the ICO discovers that my data protection fee payment is overdue?

Fines range from £400 to £4,000.

When is my fee due?

If you have received a letter from us about your data protection fee, it will include the date by which we are expecting to hear from you. It is an annual fee, so if you have paid recently, please be proactive in setting yourself a reminder to pay again within the next 12 months.

We know that time is money, especially for a one-person business or a small organisation, so we have made it as easy as possible to pay. You can do this online and it only takes 15 minutes to complete the process.

How much does it cost?

The cost of the data protection fee depends on a company’s size and turnover. There are three tiers of fee ranging from £40 and £2,900, but for most organisations it will be £40 or £60. If it avoids you paying a fine and protects your reputation, we think that is money well-spent.

The cost is reduced by £5 if you sign up by direct debit and you can find out how much you need to pay by taking a self-assessment.

The tier your organisation falls into depends on:

  • how many members of staff you have;
  • your annual turnover;
  • if your organisation is a public authority;
  • if your organisation is charity; or
  • if your organisation is a small occupational pension scheme.

Tier 1 – micro organisations

You have a maximum turnover of £632,000 for your financial year or no more than 10 members of staff. The fee for tier 1 is £40.

Tier 2 – small and medium organisations

You have a maximum turnover of £36 million for your financial year or no more than 250 members of staff. The fee for tier 2 is £60.

Tier 3 – large organisations

If you do not meet the criteria for tier 1 or tier 2, you have to pay the tier 3 fee of £2,900.

You can use our fee-assessment tool to find out how much you will need to pay.

How do I pay?

If you need to pay, please visit ico.org.uk/fee and click ‘first time payment’, unless you have registered with us before. You must complete the online application before sending your payment. It takes about 15 minutes. You can save time, hassle and money each year by setting up a direct debit, which deducts £5 from your fee.

I paid online - where is my receipt?

If you have paid by credit or debit card, receipts will be emailed to you within 1-3 working days of completing your transaction. If you have not received a receipt after three working days, please contact us.

I think I've paid twice - what should I do?

This can happen if you have refreshed the payment page during payment, or if you have entered your card details and clicked Pay twice for the same registration. If you find you have paid more than one fee for the same organisation, please contact us.

I’m exempt and I’ve let you know using the form at ico.org.uk/no-fee. Is that all I need to do?

Yes – thank you for letting us know that you are exempt from paying the data protection fee this year. Our system does not issue a confirmation of receipt automatically, so you should not except to hear from us unless we have a query about your response.

I have a number of organisations with the same information – how should I pay the data protection fee?

Contact the data protection fees helpline on 0303 123 1113 to discuss how we can help. Separate fees must be paid for each company individually if it is a data controller.

I have a limited company with numerous practices – do I need to pay a fee for each location?

If all the practices are part of the same legal entity then one fee would cover all of the sites, as long as each practice is not trading as a separate organisation and the limited company determines why and how personal data is used.

Can an agency pay the data protection fee on my behalf?

There are some private companies who offer to complete the data protection fee payment on behalf of your organisation, often charging more than the standard cost. Be aware that these agencies have no official standing or powers under data protection law, and there is no connection between them and the ICO - we recommend you pay us directly.

How can I protect myself from scams?

The ICO is warning companies to be aware of scams relating to payment of the data protection fee. If you have received a letter, text message, email or telephone call from us, you should always be directed to pay using our official website which is ico.org.uk. More generally, if you want to check that correspondence you have received is genuine, it is a good idea to search online for the organisation who sent it, or talk to someone you trust such as a friend or family member. You can also visit gov.uk or Action Fraud for advice.