Data Protection Fee: have you received a letter from the ICO?
Late last year, it was revealed that the ICO planned to contact all registered companies in the UK, 4.2 million in total, to remind them of their legal responsibility to pay the data protection fee if they collect and manage customers’ personal data.
Due to the COVID-19 Pandemic, these letters were stopped, however from the beginning of November they have begun to roll out again and we have been contacted by several clients about how they should deal with them.
Why have I received a letter from the ICO?
Under the Data Protection (Charges and Information) Regulations 2018, individuals and organisations that process personal data need to pay a data protection fee to the Information Commissioner’s Office (ICO), unless they are exempt.
The ICO is writing to you as it believes that your business is liable for the annual fee and you aren’t on their public register of fee payers. For small businesses, the fee is £40 a year, reduced to £35 a year if paid by direct debit.
Do not ignore the letter – penalties are charged if the fees are not paid.
Do I need to pay a data protection fee?
The ICO website has lots of guidance available that can help. It also has a Fee Checker tool that you can use to see if your business is exempt from paying the fee:
We have a guide available to help you complete this assessment, available here: Self Assesment Guidelines PDF
What is Personal Data?
Personal data is any information that relates to an identified or identifiable living individual. Different pieces of information, which collected together can lead to the identification of a particular person, also constitute personal data.
Examples of Personal Data:
- a name and surname;
- a home address;
- an email address such as firstname.lastname@example.org;
- an identification card number;
- location data (for example the location data function on a mobile phone);
- an Internet Protocol (IP) address;
- the advertising identifier of your phone;
- data held by a hospital or doctor, which could be a symbol that uniquely identifies a person.
If you use CCTV on your business premises for the purpose of crime prevention, you will need to pay the fee.
What are the fees?
There are three different tiers of fee, depending on the size of the organisation.
Tier 1 – micro organisations (£40 fee): Maximum turnover of £632,000 with no more than 10 members of staff.
Tier 2 – small and medium organisations (£60 fee): Maximum turnover of £36 million with no more than 250 members of staff.
Tier 3 – large organisations (£2,900 fee): If you do not meet the criteria for Tier 1 or 2, you are regarded as Tier 3. Please note, the ICO considers Tier 3 the default tier unless and until you tell them otherwise!
You can complete an assessment via this link to see which Tier you will be in:
You are also eligible for a £5 discount if you elect to pay by direct debit.
What will happen if I don’t pay the fee?
Payment of the ICO data protection fee is a legal requirement. If, as a small business, you do not pay your fee before the deadline given in your letter, you could be liable for a £4,000 fine. Fines may be larger for bigger organisations or those that process sensitive information.
I don’t Process Personal Data -Am I exempt?
Generally speaking, you have to pay a fee if you are processing personal data as a controller. But there are some exemptions. You don’t need to pay a fee if you are processing personal data only for one (or more) of the following purposes:
- Staff administration
- Advertising, marketing and public relations
- Accounts and records
- Not -for -profit purposes
- Personal, family or household affairs
- Maintaining a public register
- Judicial functions
- Processing personal information without an automated system such as a computer.
- Since 1 April 2019, members of the House of Lords, elected representatives and prospective representatives are also exempt.
By working through the ICO self-assessment, you will be able to tell whether you need to pay the data protection fee. But even if you are exempt from paying a fee, you still need to comply with your other data protection obligations.
I believe I am exempt – do I need to do anything?
Yes! If you fall into the above criteria or the ICO self-assessment states you are exempt, you are required to complete a form, so that the ICO can update their records. The form can be found here:
Help and Advice
If you are unsure or have any questions regarding the letter you have received, you can find lots of guidance and support available on the ICO website. They also have a helpline: 0303 123 1113