Do you need to register and pay the Data Protection Fee?
The Information Commissioner’s Office has launched a campaign to remind sole traders, small companies and SMEs of their legal responsibility to pay a Data Protection Fee. The move marks the start of an extensive programme to make sure the Data Protection Fee is paid by all those who need to pay it.
The Data Protection (Charges and Information) Regulations 2018 require every business that processes personal information to pay a Data Protection Fee to the ICO, unless they’re exempt. Not paying when you should may result in a fine of up to £4,000.
Most companies will need to pay £40 or £60 a year. For large organisations the fee is £2,900.
How to pay the Data Protection Fee
If you need to pay, visit ico.org.uk/fee and click ‘first time payment’ if you’ve not registered with the ICO before, or ‘renew’ if you have registered before. You must complete the online application before sending your payment. It takes about 15 minutes. You can save time, hassle and money each year by setting up a Direct Debit, which deducts £5 from your fee.
How to declare an exemption from the Data Protection Fee
If you don’t need to pay, complete the form at ico.org.uk/no-fee to let the ICO know why your company is exempt from paying the fee.
Data Protection Fee checker flowchart
Notes for the Data Protection Fee checker flowchart
* Exempt Purposes
- Judicial functions
- Elected representative functions
- Personal, family or household affairs not connected to commercial or professional activities (including CCTV to monitor your domestic property, even if you are capturing images outside the boundaries of your property)
- To maintain a public register (ie you are required by law to make the information publicly available)
** Compulsory registration organisations
Accountancy and auditing; Administration of justice; Administration of membership association records; Advertising, marketing and public relations for others; Charities – including housing associations; Childcare; Constituency casework; Consultancy and advisory services; Councils; Credit referencing; Crime prevention and prosecution of offenders (including CCTV systems); Debt administration; Education – including schools; Emergency services; Financial services and advice; Health administration and provision of patient care; Insolvency practices; Insurance administration; Journalism and media; Legal services; Leisure – including airlines and TV/radio stations; Loyalty cards; Mortgage/ insurance broking; Pastoral care; Pensions administration; Personal information processed by or obtained from a credit reference agency; Private investigation; Property management; Recruitment; Research; Social – including networking sites or dating agencies; Software development; Trading and sharing in personal information; Training.
*** Allowed essential processing for business use
- Staff administration (including payroll);
You only hold the personal information of the people you need to for your staff administration
- Accounts or records (ie invoices and payments);
You only hold the personal information of the people you need to for your own accounts and records – for example information about past, existing or present customers or suppliers.
The information is restricted to what is necessary for your accounts and records – for example name, address and credit card details. However, this doesn’t include information processed by or obtained from credit reference agencies.
- Advertising, marketing and public relations (in connection with your own business activity).
You only hold the personal information of the people you need to for your own advertising, marketing and public relations – for example information about past, existing or present customers or suppliers
The information is restricted to what is necessary for your advertising, marketing and public relations – for example, names, addresses and other identifiers
You only advertise and market your own goods and services