Skip to main content

ICO stepping up plans to fine data controllers who've not registered or paid the correct fee

Are you a data controller? Have you registered and paid the correct fee?

One aspect of data protection compliance in the UK that is often overlooked is registration with the ICO. All Controllers need to register themselves with the ICO and pay a fee (unless they are exempt). The ICO has set up a tiered system so that smaller organisations pay lower fees than larger ones. The tiers and the fees are as follows:

 Tier 1 (£40 per year) – For organisations smaller than 250 employees.

Tier 2 (£60 per year) – For organisation larger than 250 employees, and less than £36 million annual turnover.

Tier 3 (£2,900 per year) – For organisations larger than 250 employees, and more than £36 million annual turnover.

If you are not sure which tier you fall into, the ICO has provided a useful tool to lead you through the process and let you know which fee is payable. If you fail to register and pay the fee, you can be fined up to £4,350.

Many organisations have not yet paid the fee – something that has not gone unnoticed by the ICO which has issued more than 900 notices of an intent to fine and has already fined over 100 unregistered Controllers. 

In certain limited circumstances an exemption may apply, e.g. you are only processing personal data for not-for-profit purposes and/or staff administration. If you want to know whether you are exempt, the easiest way is to work through the self-assessment tool on the ICO website which can be found here.

Our data protection specialist Joanne Bone comments 

“Registering with the ICO is a key part of an organisation’s compliance with the new data protection laws. We often see that whilst businesses have put together policies and procedures for their staff they have not dealt with other compliance issues such as this. Policies, procedures and privacy notices relating to people other than employees are also often overlooked. Data protection laws apply to the use of all personal data in an organisation and an organisation wide approach needs to be taken to avoid potentially large fines.”