What is the ICO?
It is the Information Commissioner’s Office
What do they do?
The Information Commissioner’s Office is the regulator for data protection in the UK and freedom of information in England, Wales and Northern Ireland.
They give advice about the law and help businesses and other organisations safely use the personal data they hold, to provide the products and services people want, among other things.
They are also responsible for collecting the data protection fee, making sure that those who need to pay do so, and fining them when they don’t.
What is the data protection fee?
This is an annual charge levied on organisations that process personal data.
Who has to pay and data protection fee?
Every organisation or sole trader who processes personal information needs to pay a data protection fee to the Information Commissioner’s Office (ICO), unless they are exempt.
Who is exempt?
The 2018 Regulations make certain exceptions for some controllers.
- Public authorities should categorise themselves according to staff numbers only. They do not need to take turnover into account.
- Charities that are not otherwise subject to an exemption will only be liable to pay the tier 1 fee, regardless of size or turnover.
- Small occupational pension schemes that are not otherwise subject to an exemption will only be liable to pay the tier 1 fee, regardless of size or turnover.
How much do you need to pay?
There are three different tiers of fee and controllers are expected to pay between £40 and £2,900. The fees are set by Parliament to reflect what it believes is appropriate based on the risks posed by the processing of personal data by controllers.
The tier you fall into depends on:
- how many members of staff you have;
- your annual turnover;
- whether you are a public authority;
- whether you are a charity; or
- whether you are a small occupational pension scheme.
Not all controllers must pay a fee. Many can rely on an exemption.
Tier 1 – micro organisations
You have a maximum turnover of £632,000 for your financial year or no more than 10 members of staff. The fee for tier 1 is £40.
Tier 2 – small and medium organisations
You have a maximum turnover of £36 million for your financial year or no more than 250 members of staff. The fee for tier 2 is £60.
Tier 3 – large organisations
If you do not meet the criteria for tier 1 or tier 2, you have to pay the tier 3 fee of £2,900. We regard all controllers as eligible to pay a fee in tier 3 unless and until they tell us otherwise.
Why do I have to pay it?
Firstly, it is the law to pay this. Paying the data protection fee funds the ICO’s work providing advice and guidance about how to comply with the law – such as their online guidance, telephone helpline, and digital toolkits.
Everyone who is registered and has paid joins the list of organisations on the website.
The ICO states ‘that being listed as a fee payer on the ICO’s website sends a strong message to all those seeking to do business with you: it shows that you are aware of your data protection obligations, and that you run a tight ship. Members of the public and other companies will feel reassured to see your company’s name on this list because it means you value their information. They are more likely to put their trust in you than in another company who is missing from this list’
What happens if I avoid paying the fee
You could be fined between £400 and £4,000.
How do I know if I need to pay the data protection fee and register with the ICO?
You can quickly and easily find out if your organisation needs to pay the fee by using their self-assessment link below.