If you are reading this page, you are probably in the other service activities sector and have recently received a letter from the ICO.
As the UK’s data protection regulator, we are contacting all organisations that appear to need to pay a fee under data protection legislation.
All businesses and other organisations that process personal information should pay the annual data protection fee, unless they are exempt. The fee applies no matter how big, or small, your business or organisation is, although not everyone has to pay the same amount.
If you've paid in the last 14 days, please ignore the letter asking you to pay. If you have paid by card or direct debit, it can take up to 24 hours to receive confirmation. You will need to renew your fee every 12 months.
- What is data protection?
- What is 'personal data'?
- Does data protection apply to me?
- What do I need to do?
- Frequently asked questions
- More information
What is data protection?
The information you hold about your customers and clients is one of your biggest assets. If you want to make the best use of it, you need to be aware of your responsibilities.
Data protection isn’t just about paying the fee. It is the fair and proper use of information about people. Understanding it will help you use that data effectively, so you can provide the products and services your customers want and need. It will also help you use that data safely. Mistakes can be expensive to put right. They can also be damaging to clients and threaten your reputation as a business that puts its customers first.
The UK data protection regime is set out in the Data Protection Act 2018 and the UK GDPR.
What is 'personal data'?
Personal data is information about particular living individuals. This might be anyone, including customers, clients, employees, business partners, members, supporters, business contacts, public officials, or members of the public.
It does not need to be 'private' information – information which is public knowledge, or which is about someone's professional life can be personal data too.
It includes records held electronically (such as on computers, laptops, smartphones, or cameras) as well as paper records, if you plan to put them on a computer or other electronic device or if you file them in an organised way.
Does data protection apply to me?
Yes, if you have information about people for any business or other non-household purpose.
Data protection law applies to any 'processing of personal data', so will apply to most businesses and organisations, whatever their size. But there are some exemptions from the obligation to pay.
What do I need to do?
If you have received a letter from us, quoting your Companies House registration number you must:
Our self-assessment tool will help you work out if you need to pay. We have also added some frequently asked questions below.
If you do need to pay, the online form will ask for your sector. You can choose, but are not limited, to:
- General Business, Supplier of Services, Other
- General Business, Supplier of Services, Genealogist
- General Business, Supplier of Services, Lifestyle Coach
- General Business, Supplier of Services, Beauty Salon/Hairdressers
- General Business, Business Advice & Consultancy, Consultant
- General Business, Dating Agency, Dating Agency
- Membership Association, Club, Club/Society (Charitable)
- Membership Association, Club, Membership Club (Commercial)
- Membership Association, Industry association, Trade Association
- Membership Association, Employment & Trader Union, Trade Union
- Religious, Religious Organisation, Pastoral Care
- Retail & Manufacture, Manufacturing, Manufacturer
- Retail & Manufacture, Supplier of Goods, Retail/Wholesale
Frequently asked questions
I have CCTV on my business premises for purpose of crime prevention – do I need to pay a fee?
Yes, images of people caught on camera is their personal data. If you record these images to prevent crime, then you would be required to pay the fee.
I have a dashcam on my business vehicle – do I need to pay the fee?
If you have a dashcam that you use for work purposes on a vehicle that you use for work – even if you own the vehicle - then you will need to pay a data protection fee. Again, images of people recorded on camera – even when in their cars - will be their personal data.
We are a dating agency – do we need to pay?
If you provide a match making service and hold the personal information electronically, you are required to pay the data protection fee.
I am a hairdresser – do I need to pay the fee?
No, you would not necessarily need to pay the fee. However, if you have CCTV on your business premises for the purpose of crime prevention, you are required to pay the data protection fee.
If you hold medical information such as skin test results to allow you to provide a non-medical service for your clients, such as colouring, you will not be required to pay the data protection fee.
We are a beauty salon – do we need to pay?
Generally speaking, if you provide cosmetic treatments, you would not be required to pay the fee.
If you are providing services which require you to record your client’s medical history and maintain a record of treatments and aftercare, such as aesthetic treatments, you would be required to pay the data protection fee.
If you have CCTV for the purpose of crime prevention on or in your business premises this would require you to pay the fee.
If I use an online booking system – do I need to pay?
No, you will not be required to pay because you use an online booking system even if the data is stored on the cloud or on your computer.
However, if you have CCTV for the purpose of crime prevention on or in your business premises this would require you to pay the fee.
I repair equipment, such as watches, furniture, consumer electronics, computers and other household appliances – do I need to pay?
No, if you only install and repair the equipment you are not required to pay a fee.
However, if you have a dashcam or CCTV for the purpose of crime prevention on or in your business vehicle/premises this would require you to pay the fee.
I only hold names, addresses, and contact details of my customers – do I need to pay?
If the information you are holding about people is only for the purposes of keeping your own accounts and records, such as keeping records of purchases, sales, or other transactions to ensure the relevant payments, deliveries or services happen, then you are likely to be exempt from the requirement to pay.
However, this specifically excludes information processed by or obtained from credit reference agencies.
Do I have to pay if I have a website?
It depends on what’s on your website and what other personal data you hold.
If you use your website to promote another person's business activity, goods, or services, you will need to pay because you are advertising and marketing for others.
If you just have a website that advertises your own products or services, then you won’t need to pay because of your website. But you will need to use our self-assessment tool to see if there are any other activities you undertake that mean you do need to pay.
Do I have to pay because I hold customer data on a computer?
You are not usually required to pay just because you hold client details on computer, but the important point is what you do with those details. Our self-assessment tool will help you to see if any of your activities mean you need to pay.
Do I have to pay because I take card payments?
You are also not required to pay just because you take card payments. However, if you do credit checks on customers via a credit reference agency, or if you process personal data for any other non-exempt reason, then you do need to pay.
If I email promotional offers to customers – do I need to pay?
There is an exemption for processing personal information for the purpose of advertising or marketing your business activity, goods or services and promoting public relations only in connection with that business activity, or those goods and services. This processing does not require you to pay the fee.
If you use your business to promote another person's business activity, goods, or services, you will need to pay because you are advertising and marketing for others, and this would require you to pay the fee.
We have a loyalty card scheme – we do need to pay?
If you have a loyalty card scheme you are not required to pay a data protection fee providing you don’t share or trade this information, i.e. within your group of companies for another purpose or carry out research on customer habits and behaviours based on what they have bought.
If you have CCTV for the purpose of crime prevention in or on your business premises you are required to pay the fee.
How do I know if my company can claim the not-for-profit exemption – we don’t make a profit?
To meet the criteria for the not-for-profit exemption the organisation:
- be established as a not-for-profit organisation, which may be stated in your constitution/articles
- only process information necessary to establish or maintain membership or support
- only process information necessary to provide or administer activities for people who are members of the organisation or have regular contact with it
- you only hold information about individuals whose data you need to process for this exempt purpose
- the personal data you process is restricted to personal information that is necessary for this exempt purpose
- only keep the information while the individual is a member or supporter or as long as necessary for member/supporter administration
The organisation would not be exempt
- if you are responsible for CCTV
- if you provide additional services outside of the organisations aims/objectives that can’t be covered by the other exemptions
- if you trade and share in personal data
My organisation holds information about our members – do we need to pay?
The administration of membership records is not an exempt purpose for processing personal data and would require a fee to be paid.
However, if you are set up as a not-for-profit organisation, please take see our not-for-profit question above.
If you have CCTV for the purpose of crime prevention on or in the premises this would require your society or support group to pay the fee.
Does a trade union or students union need to pay the fee?
If you are a union and you are responsible for how the data is processed, then you would be required to pay the fee.
However, if you are set up as a not-for-profit organisation, please take see our not-for-profit question above.
If you have CCTV for the purpose of crime prevention on or in the premises this would require your society or support group to pay the fee.
My organisation is a registered charity – do I need to pay?
This would depend on what personal data you were processing and why. A registered charity would only pay the lowest fee tier of £40. Our self-assessment tool will help you determine if you are required to pay a fee.
We provide pastoral care – do we need to pay?
If you provide pastoral care such as counselling, emotional, social and spiritual support and hold any these records electronically, you are required to pay a data protection fee.
We offer physical wellbeing activities – such as solariums, sauna and steam baths, Turkish baths, massage salons, slimming salons – do we need to pay?
If you are providing services which require you to record your client’s medical history and maintain a record of treatments and aftercare you would be required to pay the data protection fee.
I’m a genealogist – do I need to pay?
Yes, if you are undertaking research on living individuals and record the information about family members, you are required to pay the fee.
I am already registered – why have I received a letter?
If you are registered as a sole trader or your registration does not include your companies house number this could be the reason why you have received our letter. Please let us know.
I have a limited company but I’m a sole trader – who needs to be registered?
This depends on who the data controller is, and which entity has the relationship with the client. You will need to determine who is the legal person responsible for the personal data held.
If your limited company is set up for the sole purpose of processing your own accounts through, then this would not require a fee.
I’m unsure if I am data controller or a data processor – how do I determine this?
It is essential for organisations involved in the processing of personal data to be able to determine whether they are acting as a data controller or as a data processor in respect of the processing. This is particularly important in situations such as a data breach where it will be necessary to determine which organisation has data protection responsibility.
You may find the following guidance useful:
To determine whether you are a data controller you need to ascertain which organisation decides:
- to collect the personal data in the first place and the legal basis for doing so;
- which items of personal data to collect, i.e. the content of the data;
- the purpose or purposes the data are to be used for;
- which individuals to collect data about;
- whether to disclose the data, and if so, who to;
- whether subject access and other individuals’ rights apply i.e. the application of exemptions; and
- how long to retain the data or whether to make non-routine amendments to the data.
We can only provide guidance and advice, ultimately it is the Data Controllers decision as to whether a registration is needed.
My company is dormant – do I need to pay?
It depends. If your business is dormant and you are not processing personal data electronically, then you’re not required to pay the fee.
However, some businesses and professionals are required to retain some personal data after they cease trading or practicing, as required by industry guidelines. If this applies to you then you probably will need to pay.
Please visit our self-assessment tool to check.
More information
There is more information about the data protection fee on our website.
There is also lots of information for sole traders and smaller businesses on our SME web hub, to help you understand data protection and how it can help you safely make the most out of the personal data you hold.