Fees: Yes... more changes are coming on 25th May

We’ve spoken a great deal about the forthcoming GDPR and the steps your organisations need to take to best prepare. Included within this is the fact that, as of 25th May, data controllers will no longer need to register with the ICO, each year. Instead they will maintain their own internal records for data processing.

This is good news, isn’t it? Saving a fee? Wait. It’s not as simple as that. The ICO still needs funding for activities and that means there will still be an annual fee for data controllers. The new charging structure is set out in the Data Protection (Charges and Information) Regulations and will come into effect on 25 May 2018 at the same time as the General Data Protection Regulation.


There are three tiers to the new fees:

  1. Tier 1: micro organisations - £40 (or £35 if paid by direct debit)

    1. Organisations with a turnover of up to £632,000 or no more than ten members of staff, small occupational pension schemes, and charities.

  2. Tier 2: small and medium organisations - £60

    1. Organisations with a turnover of up to £36m or no more than 250 members of staff.

  3. Tier 3: large organisations - £2,900

    1. All other organisations.


There are some exemptions and special rules:

  • The fee payable by public authorities is based on staff numbers only - they do not need to take turnover into account.

  • Those charities and small occupational pension schemes, which are not exempt from paying a fee, will only have to pay the Tier 1 fee, regardless of their turnover or how many staff they have.

  • Any organisation which is processing personal data only for one or more of the following activities will be fully exempt from the requirement to pay a fee (but not the rest of the GDPR requirements):

  • staff administration

  • advertising, marketing and public relations

  • accounts and records

  • not-for-profit purposes

  • personal, family or household affairs

  • maintaining a public register

  • judicial functions

  • processing personal information without a computer or other similar device.


So do you need to pay again on 25th May?

No. If you have a current, valid ICO registration it will remain so for the full 12-month term of the agreement. You don’t need to change anything on 25th May.  As your registration falls due for renewal the ICO will contract you giving notice of the new fees and arrangements. The ICO will make a preliminary decision as to which Tier you fall into, based on the information it holds for you. However, you can contact them at any time to change this, assuming you have a valid reason for doing so.

What if you’ve never registered before?

If you qualify for registration requirement but have never done so before, you will need to do this. The quickest and easiest way to register is via the ICO website.


A warning...

It is a criminal offence for a non-exempt data controller to fail to pay the annual fee or pay an incorrect fee. From 25 May 2018, the ICO will be able to impose fines for non-payment of up to £4,350.