Has your business paid its data protection fee?

The ICO has launched a campaign to remind organisations of the need to pay their annual data protection fee.

How do businesses register for the annual data protection fee? 

Organisations need to register with the ICO, which can be done here. The ICO has a register of fee payers, which can be searched online. 

The Data Protection Act 2018 brought in the annual fee requirement. There are three tiers of fees:

• Tier 1 (maximum turnover of £632,000 for the financial year or no more than 10 staff members) - £40
• Tier 2 (maximum turnover of £36 million for the financial year or no more than 250 members of staff) - £60
• Tier 3 (organisations not falling into the above criteria) - £2,900  

There are various exemptions from paying a fee, including if organisations are only processing personal data for staff administration purposes or for personal, family or household affairs. The ICO has an online toolkit for organisations to use to determine if they are exempt.

There is a fixed penalty for failing to pay the fee. The penalty ranges from £400 to £4,000 (with aggravating factors potentially increasing the highest penalty to £4,350) depending on the organisation’s tier.

Comment

If organisations have data privacy issues (for example a data breach) and have not already registered with the ICO, this will almost certainly result in the fixed penalty, in addition to potential further enforcement action on any other issues. 

The ICO has taken various action against controllers for failing to pay a fee. It issued 340 penalties between 1 July and 30 September 2019. With the ICO’s new campaign, we can expect the number of fines to increase. 

Doyle Clayton offers an auditing service to review your organisation’s GDPR processes and practices. With the ICO’s enforcement action increasing, identifying gaps can lower the risk of penalties or other enforcement action. To learn more about this, please contact Mike Hibberd or any member of the data protection team.