The ICO exists to empower you through information.

What is the ICO?

The ICO is the Information Commissioner’s Office. It exists to empower you through information.

This is a pivotal time for data protection and privacy and the ICO’s work as the UK’s information rights regulator has never been more relevant.

Almost everything we do creates a digital data trail – shopping online, posting on social media, banking on the go or scanning a travel card. People’s personal data has never been more valuable and we should be able to trust that organisations will treat it fairly and look after it securely.

Whether we are investigating a cyber-attack on a multi-national company or the loss of patient data from a local hospital, the ICO will take action on behalf of the UK public.

The data protection laws we regulate have undergone recent reform, our battle to stop nuisance calls is gathering momentum and our role in upholding the Freedom of Information Act is vital in ensuring the public’s right to know.

What is the data protection fee?

Under the Data Protection Act 2018 organisations processing personal information are required to pay a data protection fee unless they are exempt.

You need to renew your data protection fee each year, or tell the ICO if your registration is no longer required. If you fail to do so, the ICO can issue a monetary penalty of up to £4,000 on top of the fee you are required to pay.

It is the law to pay the fee, which funds the ICO’s work, but it also makes good business sense because whether or not you have paid could have an impact on your reputation.

Businesses have been paying some form of data protection fee for over 30 years. But how a typical business processes personal data today would be unrecognisable 30 years ago and data is extremely valuable. Perhaps unsurprisingly, more sole traders and organisations have fulfilled their legal requirement to register with the ICO than ever before. Our register of fee payers represents more than 1 million companies and it is growing by the day.

The ICO is responsible for collecting the fee and we regularly promote the need to pay it. When your fee payment is in date, this is a positive mark against your company’s name and it would avoid us having to contact you regarding the data protection fee.

I’ve received a letter about the data protection fee. Why did you write to me?

In November 2019, we launched a campaign to contact all registered companies in the UK reminding them of their legal responsibility to pay a data protection fee. The move marks the start of an extensive programme to make sure the data protection fee is paid by all those who need to pay it.

The letters we are sending to organisations is to help them comply with the law by reminding them to check if they need to pay a fee.

Some company data has to be made publicly available by law such as data published at gov.uk. For information about what the ICO does with personal data, please see our privacy notice at ico.org.uk/privacy-notice

How do I know if I need to pay the data protection fee and register with the ICO?

You can quickly and easily find out if your organisation needs to pay the fee by using our registration self-assessment.

Which sorts of companies are likely to need to pay?

The fee is payable by a range of companies from sole traders and small to medium-sized enterprises (SMEs) through to large organisations, depending on your practices. The amount payable varies depending on the size of the organisation.

Any company using CCTV for crime prevention purposes is required to pay an annual data protection fee to the ICO, regardless of other aspects of your business and operations. This means that you do not need to take our registration self-assessment if you use CCTV for crime prevention purposes, because the answer to whether or not you have to pay will always be ‘yes’. You can pay now by visiting www.ico.org.uk/fee.

If you hold personal information for business purposes on any electronic device, you may need to pay an annual fee and it is your responsibility to find out.

What do I get for paying the fee?

It is the law to pay the fee, which funds the ICO’s work, but it also makes good business sense because whether or not you have paid could have an impact on your reputation.

Being listed as a fee payer on the ICO’s website sends a strong message to all those seeking to do business with you: it shows that you are aware of your data protection obligations, and that you run a tight ship.

Members of the public and other companies will feel reassured to see your company’s name on this list because it means you value their information. They are more likely to put their trust in you than in another company who is missing from this list.

How is the money from fees used?

Paying the data protection fee is important because it funds the ICO’s work providing advice and guidance about how to comply with the law – such as our online guidance, our telephone helpline, and our digital toolkits.

What happens if I avoid paying the fee?

If you need to pay and do not pay, you could be fined up to £4,000. Between May 2021 and January 2022, we issued 126 monetary penalties to organisations that have not paid the data protection fee.

As well as naming most organisations we need to fine, we also publish the names of all fee-paying organisations on the register of fee payers. This helps them make it clear to their customers, clients and suppliers that they are aware of their legal obligations when processing personal information.

We need to make sure that the data protection fee is paid by all those who need to pay it.

How much is the fine if the ICO discovers that my data protection fee payment is overdue?

Fines range from £400 to £4,000.

When is my fee due?

If you have received correspondence from us about your data protection fee, it will include the date by which we are expecting to hear from you. It is an annual fee, so if you have paid recently, please be proactive in setting yourself a reminder to pay again within the next 12 months.

We know that time is money, especially for a one-person business or a small organisation, so we have made it as easy as possible to pay. You can do this online and it only takes 15 minutes to complete the process.

How much does it cost?

The cost of the data protection fee depends on a company’s size and turnover. There are three tiers of fee ranging from £40 and £2,900, but for most organisations it will be £40 or £60. If it avoids you paying a fine and protects your reputation, we think that is money well-spent.

The cost is reduced by £5 if you pay by direct debit. You can use our fee self-assessment to find out how much you will need to pay.

The tier your organisation falls into depends on:

  • how many members of staff you have;
  • your annual turnover;
  • if your organisation is a public authority;
  • if your organisation is charity; or
  • if your organisation is a small occupational pension scheme.

Tier 1 – micro organisations

You have a maximum turnover of £632,000 for your financial year or no more than 10 members of staff. The fee for tier 1 is £40.

Tier 2 – small and medium organisations

You have a maximum turnover of £36 million for your financial year or no more than 250 members of staff. The fee for tier 2 is £60.

Tier 3 – large organisations

If you do not meet the criteria for tier 1 or tier 2, you have to pay the tier 3 fee of £2,900.

You can use our fee self-assessment to find out how much you will need to pay.

How do I pay?

If you need to pay, please visit ico.org.uk/fee. You must complete the online application before sending your payment if you have not previously registered with us. It takes about 15 minutes. You can save time, hassle and money each year by setting up a direct debit, which deducts £5 from your fee.

If I set up a Direct Debit, do I need to pay this year’s data protection fee by another method?

Not at all. If you complete a Direct Debit instruction, we will take a payment by Direct Debit for this year as well as subsequent years. It couldn’t be easier.

Our bank details have changed. How do we update our Direct Debit?

If you have changed bank account, you can provide the updated details for your Direct Debit by completing and returning a new Direct Debit instruction. We accept scanned copies of the Direct Debit instruction. These can be emailed in a PDF format to [email protected]. When sending the Direct Debit instruction to us please put ‘Completed Direct Debit’ in the subject line.

I paid online - where is my receipt?

If you have paid by credit or debit card, receipts will be emailed to you within 1-3 working days of completing your transaction. If you have not received a receipt after three working days, please contact us. We are currently unable to send a receipt automatically when you have paid by direct debit. However, if you require a receipt when you have paid by direct debit, please get in touch and we will send one out. 

I think I've paid twice - what should I do?

This can happen if you have refreshed the payment page during payment, or if you have entered your card details and clicked ‘Pay’ twice for the same registration. If you find you have paid more than one fee for the same organisation, please contact us.

I have a number of organisations with the same information – how should I pay the data protection fee?

Contact the data protection fees helpline on 0303 123 1113 to discuss how we can help. Separate fees must be paid for each company individually if it is a data controller.

I have a limited company with numerous practices – do I need to pay a fee for each location?

If all the practices are part of the same legal entity then one fee would cover all of the sites, as long as each practice is not trading as a separate organisation and the limited company determines why and how personal data is used.

Can an agency pay the data protection fee on my behalf?

There are some private companies who offer to complete the data protection fee payment on behalf of your organisation, often charging more than the standard cost. Be aware that these agencies have no official standing or powers under data protection law, and there is no connection between them and the ICO - we recommend you pay the ICO directly.

How can I protect myself from scams?

The ICO is warning companies to be aware of scams relating to payment of the data protection fee. If you have received a letter, text message, email or telephone call from us, you should always be directed to pay using our official website which is ico.org.uk. More generally, if you want to check that correspondence you have received is genuine, it is a good idea to search online for the organisation who sent it, or talk to someone you trust such as a friend or family member. You can also visit gov.uk or Action Fraud for advice.

I have a dashcam that I use for work. Do I need to pay a fee?

If you have a dashcam that you use for work purposes on a vehicle that you use for work, then you are likely to need to register and pay a data protection fee to the ICO unless you are exempt. This is because the use of the dashcam in or on your vehicle for work purposes will not be considered as ‘domestic’ and therefore not exempt from data protection laws. You can use our registration self-assessment to check whether you are exempt from paying the data protection fee for the use of your dashcam on our website. If you operate a dashcam on or in your work vehicle you should select ‘Yes’ to the question about whether you operate CCTV.

I am the principal of a dental practice – do I need to pay a fee?

If the principal of a practice has responsibility and control of the patient records in the practice, they would be required to pay a data protection fee.

I am a medical/ dental practice manager – do I need to pay a fee?

In general, a self-employed practice manager is usually a data processor as they do not determine how the personal information is processed. They will usually act on instruction from the data controller, ie the principal of the practice, when processing personal information. If you are an employee you will be covered by your employer’s fee and you will not be required to pay your own.

My dental practice is a partnership – do all partners have to pay a fee separately?

If you're in a partnership and each partner is responsible for the processing and security of their own patient information, which they would take with them if they left the practice, then each partner would need to pay a separate fee.

I am a dental associate or dental hygienist – do I need to pay a fee?

It is not possible to give a definitive answer as there are a number of arrangements between dentists and dental hygienists, but there are a number of questions that might clarify whether a dental associate or dental hygienist is a data controller and needs to pay a fee:

  • Are you responsible for the control and security of patient records, and do you have other responsibilities associated with the data?
  • Do you have a patient list separately from the practice in which you treat patients that would follow you if you left?
  • Do you treat the same patient at different practices?
  • If a complaint was made by a patient, or data was lost, would you be legally responsible for dealing with the matter?

If you answer ‘yes’ to any of the above questions, you are likely to be a data controller and will need to pay the ICO a data protection fee.

We are a not-for-profit - do we need to pay?

If your organisation was established for not-for-profit-making purposes and either does not make a profit, or makes a profit for its own purposes which is not used to enrich others, the not-for-profit exemption may apply. To qualify, you must also:

  • only process information necessary to establish or maintain membership or support;
  • only process information necessary to provide or administer activities for people who are members of the organisation or have regular contact with it;
  • only hold information about individuals whose data you need to process for the above purposes; and
  • only process the personal data that is necessary for the above purposes.

For example: if you use CCTV for the purposes of crime prevention, this falls outside of the exemption and would require payment of the fee.

Why have you used my details to send me information which isn’t about my registration?

The UK GDPR puts the Information Commissioner under a duty to:

"promote awareness of controllers and processors of their obligations under this Regulation."

Sending you information about how we can help you meet your obligations under the UK GDPR will help us meet ours.

If you prefer not to receive these messages, please email [email protected] with your registration reference (eg ZA123456), and your business’ name or your name if you are a sole trader and we’ll stop sending this information to you.  

We will still get in touch about other matters relating to our regulatory function, for example letting you know your registration renewal is due.