If you are reading this page, you are probably in the information and communication sector and have recently received a letter from the ICO.
As the UK’s data protection regulator, we are contacting all organisations that appear to need to pay a fee under data protection legislation.
All businesses and other organisations that process personal information should pay the annual data protection fee, unless they are exempt. The fee applies no matter how big, or small, your business or organisation is, although not everyone has to pay the same amount.
If you've paid in the last 14 days, please ignore the letter asking you to pay. If you have paid by card or direct debit, it can take up to 24 hours to receive confirmation. You will need to renew your fee every 12 months.
- What is data protection?
- What is 'personal data'?
- Does data protection apply to me?
- What do I need to do?
- Frequently asked questions
- More information
What is data protection?
The information you hold about your customers and clients is one of your biggest assets. If you want to make the best use of it, you need to be aware of your responsibilities.
Data protection isn’t just about paying the fee. It is the fair and proper use of information about people. Understanding it will help you use that data effectively, so you can provide the products and services your customers want and need. It will also help you use that data safely. Mistakes can be expensive to put right. They can also be damaging to clients and threaten your reputation as a business that puts its customers first.
The UK data protection regime is set out in the Data Protection Act 2018 and the UK GDPR.
What is 'personal data'?
Personal data is information about particular living individuals. This might be anyone, including customers, clients, employees, business partners, members, supporters, business contacts, public officials, or members of the public.
It does not need to be 'private' information – information which is public knowledge, or which is about someone's professional life can be personal data too.
It includes records held electronically (such as on computers, laptops, smartphones, or cameras) as well as paper records, if you plan to put them on a computer or other electronic device or if you file them in an organised way.
Does data protection apply to me?
Yes, if you have information about people for any business or other non-household purpose.
Data protection law applies to any 'processing of personal data', so will apply to most businesses and organisations, whatever their size. But there are some exemptions from the obligation to pay.
What do I need to do?
If you have received a letter from us, quoting your Companies House registration number you must:
Our self-assessment tool will help you work out if you need to pay. We have also added some frequently asked questions below.
If you do need to pay, the online form will ask for your sector. You can choose, but are not limited, to:
- General Business, Supplier of Services, Publishers
- General Business, Business Advice & Consultancy, Consultant
- Online Technology & Telecoms, Service Provider, Internet Service Provider
- Online Technology & Telecoms, Service Provider, IT Support/Helpdesk
- Online Technology & Telecoms, Service Provider, Telecommunications Company
- Online Technology & Telecoms, Software Developer, Software Development
- Online Technology & Telecoms, Software Developer, Web Designer
- Online Technology & Telecoms, Infrastructure & Hardware provider, Web Hosting
- Media, TV/Radio Station, TV/Radio Station
- Membership Association, Club, Club/Society (Charitable)
- Membership Association, Club, Membership Club (Commercial)
- Retail & Manufacture, Supplier of Goods, Retail/Wholesale
Frequently asked questions
I have CCTV on my business premises – do I need to pay?
Yes. Images of people caught on camera is their personal data.
I have a dashcam on my business vehicle – do I need to pay?
If you have a dashcam that you use for work purposes on a vehicle that you use for work – even if you own the vehicle - then you will need to pay a data protection fee. Again, images of people recorded on camera – even when in their cars - will be their personal data.
Do I have to pay if I have a website?
It depends on what’s on your website and what other personal data you hold.
If you use your website to promote another person's business activity, goods, or services, you will need to pay because you are advertising and marketing for others.
If you just have a website that advertises your own products or services, then you won’t need to pay because of your website. But you will need to use our self-assessment tool to see if there are any other activities you undertake that mean you do need to pay.
I am already registered – why have I received a letter?
If you are registered as a sole trader or your registration does not include your companies house number this could be the reason why you have received our letter. Please let us know.
I have a limited company but I’m a sole trader – who needs to be registered?
This depends on who the data controller is, and which entity has the relationship with the client. You will need to determine who is the legal person responsible for the personal data held.
If your limited company is set up for the sole purpose of processing your own accounts through, then this would not require a fee.
I’m unsure if I am data controller or a data processor – how do I determine this?
It is essential for organisations involved in the processing of personal data to be able to determine whether they are acting as a data controller or as a data processor in respect of the processing. This is particularly important in situations such as a data breach where it will be necessary to determine which organisation has data protection responsibility.
You may find the following guidance useful:
To determine whether you are a data controller you need to ascertain which organisation decides:
- to collect the personal data in the first place and the legal basis for doing so;
- which items of personal data to collect, i.e. the content of the data;
- the purpose or purposes the data are to be used for;
- which individuals to collect data about;
- whether to disclose the data, and if so, who to;
- whether subject access and other individuals’ rights apply i.e. the application of exemptions; and
- how long to retain the data or whether to make non-routine amendments to the data.
We can only provide guidance and advice, ultimately it is the Data Controllers decision as to whether a registration is needed.
We are a broadcasting company – do we need to pay?
Yes, if you hold personal data electronically for creating and purchasing television or radio content and advertise and market for others you would be required to pay a fee.
If you have CCTV for the purpose of crime prevention on or in the premises this would require your company to pay the fee.
We are an advertising agency – do we need to pay?
If you are processing personal information when providing consultancy and advisory services when creating your advertising campaigns, you would be required to pay a fee.
I work in public relations and communication – do I need to pay?
If you are processing personal information whilst carrying out your wide range of activities as a public relations and communications company, for example internal/external market research or media communications, you would be required to pay the data protection fee.
We do market research – do we need to pay?
If you are processing personal data on behalf of your client but you are determining the information that is collected and the manner which it is processed. You have the freedom to decide such matters as which customers to select for interview, what form the interview should take, what information to collect from customers and how to present the results. This means that the market research company is a data controller in its own right in respect of the processing of personal data done to carry out the survey, even though the client may retain overall control of the data in terms of commissioning the research and determining the purpose the data will be used for. Therefore, you are required to pay a data protection fee.
I am a freelance or independent journalist - do I need to pay?
If you are self-employed and write articles which includes information about individuals, you are required to pay a fee.
My organisation is a registered charity – do I need to pay?
This would depend on what personal data you were processing and why. A registered charity would only pay the lowest fee tier of £40. Our self-assessment tool will help you determine if you are required to pay a fee.
How do I know if my company can claim the not-for-profit exemption – we don’t make a profit?
To meet the criteria for the not-for-profit exemption the organisation:
- be established as a not-for-profit organisation, which may be stated in your constitution/articles
- only process information necessary to establish or maintain membership or support
- only process information necessary to provide or administer activities for people who are members of the organisation or have regular contact with it
- you only hold information about individuals whose data you need to process for this exempt purpose
- the personal data you process is restricted to personal information that is necessary for this exempt purpose
- only keep the information while the individual is a member or supporter or as long as necessary for member/supporter administration
The organisation would not be exempt
- if you are responsible for CCTV
- if you provide additional services outside of the organisations aims/objectives that can’t be covered by the other exemptions
- if you trade and share in personal data
We are a community interest company – do we need to pay?
Community interest companies are unlikely to be able rely on the not-for-profit exemption and you must determine which level of fee you are required to pay.
You can complete the self-assessment tool to determine this.
My company/club/society/association holds information about our members – do we need to pay?
The administration of membership records is not an exempt purpose for processing personal data and would require a fee to be paid. If you are set up as a not-for-profit organisation, please see out not-for-profit question above..
If you have CCTV for the purpose of crime prevention on or in the premises this would require your company to pay the fee.
We are a holding/s company – do we need to pay?
Typically, a holding company may not always hold and process personal information. This may be carried out by another company within your group. You will need to determine who is the data controller and if any organisations within your group of companies is required to pay the fee.
We offer information technology consultancy services – do we need to pay?
Yes, if you are processing personal information when providing a consultancy and advisory services to your clients, you would be required to pay a fee.
We operate telecommunications services – do we need to pay?
Yes, you would be required to pay the data protection fee if your organisation is processing personal information when providing a telecommunications service, this could include but is not limited to voice message, data, text sound and video using a wired or wireless infrastructure.
If you are broadcasting company and processing personal information outside of the core business exemptions - these are staff administration, advertising your own goods and services and accounts and records (sales and purchase ledger records) then you are required to pay a data protection fee.
If you have CCTV for the purpose of crime prevention on or in the premises this would require your company to pay the fee.
We are a software development company – do we need to pay?
You are more than likely to carry out specific activities if you are a software company such as gathering requirements, testing, planning, designing. If you are processing personal information when carrying out these business functions, you will be required to pay a fee.
If you have CCTV for the purpose of crime prevention on or in the premises this would require your company to pay the fee.
We operate other information service activities (this could include but is not limited to, web hosting, streaming services, or application hosting) – do we need to pay?
If, as a data controller you are processing personal information such as third-party advertising; streaming services; communication web forums and webhosting, you would need to pay a fee.
If you have CCTV for the purpose of crime prevention on or in the premises this would require your company to pay the fee.
We are a production company – do we need to pay?
If you process personal data when producing video content for television, film, social media, and adverts, including but not limited to budgeting, scheduling, and scripting then you are required to pay a fee.
If you have CCTV for the purpose of crime prevention on or in the premises this would require your company to pay the fee.
We are media company - do we need to pay?
If you are processing personal data to provide your media services such as creating a bespoke brand strategy, web design, research and analysis, campaign management, content creation you would be required to pay the fee.
If you have CCTV for the purpose of crime prevention on or in the premises this would require your company to pay the fee.
We are a book publishing company – do we need to pay?
If personal data is processed electronically for the purpose of bringing books to market which include author selection, manuscript editing, promotion, distribution, and financial management you would be required to pay the fee.
If you have CCTV for the purpose of crime prevention on or in the premises this would require your company to pay the fee.
We are a games publisher – do we need to pay?
If you process personal data such as research, behavioural data on the interaction of players, run forums and message boards then you would be required to pay a fee.
We are a software publishing company – do we need to pay?
If you process personal data for the purpose of producing computer software, market research and software production you are required to pay a fee.
We are a music publishing company – do we need to pay?
If you are processing personal data when finding new songwriters and composers, providing advice and guidance to new and existing songwriters and composers, promoting and advertising artists songs to record labels, movie and television producers and ensure all receive payment when their composition are used commercially, you are required to pay a fee.
If you have CCTV for the purpose of crime prevention on or in the premises this would require your company to pay the fee.
We are a record company – do we need to pay?
If you are processing personal data when carrying out your wide range of functions including new artist recruitment and development, music publishing and copyright enforcement you would be required to pay a fee.
If you have CCTV for the purpose of crime prevention on or in the premises this would require your company to pay the fee.
I am a music producer – do I need to pay a fee?
If you are processing personal data electronically when gathering ideas, composing music, choosing session musicians, coaching performers, you are required to pay a fee.
More information
There is more information about the data protection fee on our website.
There is also lots of information for sole traders and smaller businesses on our SME web hub, to help you understand data protection and how it can help you safely make the most out of the personal data you hold.