The Information Commissioner’s Office (ICO) has announced it will be taking enforcement action against 34 organisations that have failed to pay the new registration fees that came into effect on 25 May 2018.

All organisations that process personal data must pay a fee to the ICO (although there are some exemptions that may apply).

The level of fee depends upon an organisation’s size, turnover and whether an organisation is a public authority or charity. There are three tiers in operation:

  • Tier 1 fee of £40 for micro organisations, where the maximum annual turnover is up to £632,000, or the organisation has no more than ten members of staff;
  • Tier 2 fee of £60 for SMEs, where maximum turnover is up to £36 million, or where the organisation has between 11 and 250 members of staff;
  • Tier 3 fee of £2,900 for large organisations, who do not meet the criteria of Tiers 1 or 2. The fee is considerably higher because such organisations are likely to hold and process the largest volumes of data and therefore represent a greater level of risk.

The ICO has taken the step of issuing a ‘Notice of Intent’ to 34 organisations across a range of sectors, both public and private, stating that fines will apply unless they pay within 21 days. Those that ignore the notices or refuse to pay may face a fine ranging from £400 to £4,000. As with the fee structure, the level of fine depends on the size and turnover of the organisation. Aggravating factors may lead to an increase in the fine up to a maximum of £4,350.

Organisations that have an existing ICO registration (or notification) under the previous Data Protection Act 1998, prior to the introduction of the General Data Protection Regulation (GDPR) on 25 May 2018, do not have to pay the new fee straight away. A current registration will remain active until it expires, at which point the new fee will need to be paid. It should also be noted that the Brexit process will not affect these provisions as the GDPR has already been incorporated into UK law.

This story demonstrates that the ICO has begun investigating non-payment of data protection fees, and that many organisations have been caught out already by this change that was brought into effect in May 2018.

If you have any questions regarding this issue, or any other questions regarding Data Protection and compliance, please do not hesitate to contact our expert team on 0161 941 4000 or by email