ICO stepping up plans to fine data controllers who've not registered or paid the correct fee

Are you a data controller? Have you registered and paid the correct fee?

27.08.2019

One aspect of data protection compliance in the UK that is often overlooked is registration with the ICO. All Controllers need to register themselves with the ICO and pay a fee (unless they are exempt). The ICO has set up a tiered system so that smaller organisations pay lower fees than larger ones. The tiers and the fees are as follows:

 Tier 1 (ÂŁ40 per year) – For organisations smaller than 250 employees.

Tier 2 (£60 per year) – For organisation larger than 250 employees, and less than £36 million annual turnover.

Tier 3 (£2,900 per year) – For organisations larger than 250 employees, and more than £36 million annual turnover.

If you are not sure which tier you fall into, the ICO has provided a useful tool to lead you through the process and let you know which fee is payable. If you fail to register and pay the fee, you can be fined up to ÂŁ4,350.

Many organisations have not yet paid the fee – something that has not gone unnoticed by the ICO which has issued more than 900 notices of an intent to fine and has already fined over 100 unregistered Controllers. 

In certain limited circumstances an exemption may apply, e.g. you are only processing personal data for not-for-profit purposes and/or staff administration. If you want to know whether you are exempt, the easiest way is to work through the self-assessment tool on the ICO website which can be found here.

Our data protection specialist Joanne Bone comments 

“Registering with the ICO is a key part of an organisation’s compliance with the new data protection laws. We often see that whilst businesses have put together policies and procedures for their staff they have not dealt with other compliance issues such as this. Policies, procedures and privacy notices relating to people other than employees are also often overlooked. Data protection laws apply to the use of all personal data in an organisation and an organisation wide approach needs to be taken to avoid potentially large fines.”

Key Contacts

Related Articles

  • Understanding the Equality Act 2010: EHRC updates its guidance for schools and colleges
    Expert Comment
    Understanding the Equality Act 2010: EHRC updates its guidance for schools and colleges
    New guidance for schools
  • The SEND White Paper: our view
    Expert Comment
    The SEND White Paper: our view
    The Government’s SEND White Paper aims to create a more inclusive and streamlined system. While we welcome that ambition, the proposals raise important practical concerns about how the system will work in practice.
  • Gender neutral toilets in primary school breached regulations and indirectly discriminated against girls
    Expert Comment
    Gender neutral toilets in primary school breached regulations and indirectly discriminated against girls
    In DE and FG v West Lothian Council the parents of a five-year old girl brought judicial proceedings against a Scottish local authority because the toilet facilities in one of its newly built schools were gender-neutral. They argued the council had breached relevant regulations and its toilet policy indirectly discriminated against girls. They also alleged that the effect of the policy harassed their daughter.

Recognised for excellence. Chosen for care.

  • Legal 500 Top Tier Firm UK 202
  • alt tzt
  • Sunday Times Best Places to Work 2025