3 December 2018
ICO issues the first fines to organisations that have not paid the data protection fee
The UK Information Commissioner's Office (ICO) has fined more than 100 organisations for failing to pay the annual data protection fee. Organisations across the business services, construction and finance sectors are among the first to be fined.
Since September this year, the ICO has issued more than 900 notices of intent to fine organisations for non-payment of the data protection fee.
The notices serve as a final demand to organisations. Those that fail to pay can expect to receive a formal letter from the ICO outlining enforcement action.
Fines range from £400 to £4,000 depending on the size and turnover of the organisation. The ICO can levy a maximum fine of £4,350 if organisations fail to pay their data protection fees and aggravating factors apply.
Who must pay the data protection fee?
From 25 May 2018, all individuals, companies and organisations that process personal data or are responsible for how personal data is handled need to pay a data protection fee to the ICO, unless they are exempt.
A rate of £40 for micro organisations, £60 for small and medium organisations, and £2,900 for large organisations applies.
Exemptions apply to certain types of data processing. For example, you may be exempt if you process personal data only for one or more of the following reasons:
- staff administration
- advertising, marketing and public relations
- accounts and records
- not -for -profit purposes
- personal, family or household affairs
- maintaining a public register
- judicial functions
- processing personal data without an automated system such as a computer
You can use the ICO's self-assessment tool to determine if you need to pay a data protection fee.
Organisations that have a current registration (or notification) under the 1998 Data Protection Act - prior to 25 May 2018 - do not have to pay the new fee until that registration has expired. You can check if your fee is due for renewal here.
More information is available in the ICO's data protection fee guidance.