How much does it cost?
Your data protection fee depends on the size of your organisation or turnover. There are three different tiers of fees controllers are expected to pay - £40, £60 or £2,900. The payment is always VAT nil. For most organisations, the cost will be £40 or £60.
The tier your organisation falls into depends on:
- how many members of staff you have;
- your annual turnover;
- if your organisation is a public authority;
- if your organisation is charity; or
- if your organisation is a small occupational pension scheme.
Tier 1 – micro organisations
You have a maximum turnover of £632,000 for your financial year or no more than 10 members of staff. The fee for tier 1 is £40.
Tier 2 – small and medium organisations
You have a maximum turnover of £36 million for your financial year or no more than 250 members of staff. The fee for tier 2 is £60.
Tier 3 – large organisations
If you do not meet the criteria for tier 1 or tier 2, you have to pay the tier 3 fee of £2,900.
You can use our fee-assessment tool to find out how much you will need to pay.
I paid online - where is my receipt?
Receipts will be emailed to you within 1-3 working days of completing your transaction. If you have not received a receipt after three working days, please contact us.
I have a number of organisations with the same information – how should I pay the data protection fee?
Contact the data protection fees helpline on 0303 123 1113 to discuss how we can help. Separate fees must be paid for each company individually if it is a data controller.
I am the principal of a practice and also have a limited company – how should I pay the data protection fee?
This depends on who owns and has responsibility and control for the information processed eg patient records. If the limited company has been put in place purely for tax purposes then it is usually the principal that is required to pay a fee.
I have a limited company with numerous practices – do I need to pay a fee for each location?
If all the practices are part of the same legal entity then one fee would cover all of the sites, as long as each practice is not trading as a separate organisation and the limited company determines why and how personal data is used.
Can an agency pay the data protection fee on my behalf?
There are some private companies who offer to complete the data protection fee payment on behalf of your organisation, often charging more than the standard cost. Be aware that these agencies have no official standing or powers under data protection law, and there is no connection between them and the ICO - we recommend you pay us directly.
We are a not-for-profit organisation - do I need to pay a fee?
You do not have to pay a fee if your organisation was established for not-for-profit making purposes and does not make a profit or if your organisation makes a profit for its own purposes, as long as the profit is not used to enrich others. You must:
- only process information necessary to establish or maintain membership or support
- only process information necessary to provide or administer activities for people who are members of the organisation or have regular contact with it;
- you only hold information about individuals whose data you need to process for this exempt purpose
- the personal data you process is restricted to personal information that is necessary for this exempt purpose
- only keep the information while the individual is a member or supporter or as long as necessary for member/supporter administration
I am a multi academy trust (MAT) – how should I pay?
Under the multi academy trust arrangements, the MAT is responsible for the activities of all the schools in the MAT, even though some functions may have been delegated to local Heads of School or Local Governing Bodies. Ultimate responsibility lies with the MAT. Providing the schools and academies within the MAT do not have any legal status separate from that of the MAT, the MAT is the legal entity responsible for the processing of personal data by the schools and the academies with the MAT. The MAT would be the data controller for the processing and required to pay a data protection fee.
If the schools or academies within the MAT are not separate legal entities, we also recommend the schools or academies within the MAT are shown as trading names on the MAT entry. It is important that parents and children to see who is responsible for processing of personal data.
I’m a childminder - why do I have to pay a fee?
The Data Protection (Charges and Information) Regulations 2018 requires all businesses to pay unless they are exempt. If you are processing personal information electronically for the provision of childcare - including taking photographs of the children in your care using a digital camera - then you must pay a fee.
I am the principal of a dental practice – do I need to pay a fee?
If the principal of a practice has responsibility and control of the patient records in the practice, they would be required to pay a data protection fee.
I am a medical/ dental practice manager – do I need to pay a fee?
In general, a self-employed practice manager is usually a data processor as they do not determine how the personal information is processed. They will usually act on instruction from the data controller, ie the principal of the practice, when processing personal information. If you are an employee you will be covered by your employer’s fee and you will not be required to pay your own.
My dental practice is a partnership – do all partners have to pay a fee separately?
If you're in a partnership and each partner is responsible for the processing and security of their own patient information, which they would take with them if they left the practice, then each partner would need to pay a separate fee.
I am a dental associate or dental hygienist – do I need to pay a fee?
It is not possible to give a definitive answer as there are a number of arrangements between dentists and dental hygienists, but there are a number of questions that might clarify whether a dental hygienist is a data controller and needs to pay a fee:
- Are you responsible for the control and security of patient records, and do you have other responsibilities associated with the data?
- Do you have a patient list separately from the practice in which you treat patients that would follow you if you left?
- Do you treat the same patient at different practices?
- If a complaint was made by a patient, or data was lost, would you be legally responsible for dealing with the matter?
If you answer ‘yes’ to any of the above questions, you are likely to be a data controller and will need to pay the ICO a data protection fee.