Government Reforms (2): ICO fees – enforcement action

data breach

What do we already know?

All organisations that process personal data must pay a fee to the UK’s data protection regulator, the Information Commissioner (ICO) unless they are exempt under new UK data protection regulations. The ICO has produced a fee calculator tool (available here) and guidance on the data protection fee, available here.

Organisations that have a current registration (or notification) under the 1998 Data Protection Act – prior to 25 May 2018 – do not have to pay the new fee until that registration has expired.

The fees, set by Government, are aimed at funding the ICO’s data protection work and new and expanded services such as its advice line, online resources, and guidance to help organisations comply with new data protection laws.

There are three tiers of fees that apply depending on the size and turnover of an organisation and whether it is a public authority or a charity:

  • Micro organisations with a maximum turnover of £632,000 or no more than ten members of staff have to pay £40;
  • SMEs with a maximum turnover of £36m or no more than 250 members of staff have to pay £60; and
  • Large organisations are liable for fees of £2,900.

The fees came into force on 25 May, to coincide with the UK’s new Data Protection Act (2018) and the EU’s General Data Protection Regulation (GDPR).

Failure to pay the fee is now a civil offence under the GDPR. Previously, it was a criminal offence under the Data Protection Act 1998.

What’s new?

The ICO has sent notices of its intent to fine the organisations up to £4,350 if they do not pay the fees they owe.

The notices of intent were sent earlier this month to a range of organisations across both the public and private sector, including the NHS, Government organisations, and recruitment, finance and accounting firms.

More notices are in the drafting stage and will be issued soon, according to the ICO.

Organisations have 21 days to respond to the notices. If they pay, action will stop. Those that ignore the notices or refuse to pay may face a fine.

The fines range from £400 to £4,000 depending on the size and turnover of the organisation. Aggravating factors may lead to an increase in the fine up to a maximum of £4,350.


data breach