ICO publishes draft data protection fees guidance

ICO publishes draft data protection fees guidance


Author: JP Buckley

Applies to: England, Wales and Scotland

A new registration scheme for data controllers will come in from 25 May 2018, the same day the GDPR is introduced across the EU, the ICO has announced.

Currently, many organisations pay a fee to the ICO as a data controller. These registrations (or notifications) would have been removed by the application of the GDPR into UK law. However there is a move to create a new fee scheme.

We saw mention of a move by the ICO to levy new fees for data controllers last year on its blog and Twitter. These have now made their way into draft regulations presented before Parliament. As the ICO had said last year that the new fees would be levied from April, it has also published a draft guide to the new data protection fees given the short timescales - though these are now intended to apply from 25 May 2018.

Key changes and information to note include:

  • If you have a current registration, you do not need to renew it on 25 May 2018, just when it runs out; 
  • There are exemptions from the need to register - these are set out in the draft guidance, but may change in Parliament. There are some activities which trigger the need to register as well, though these have been widened from the current regime; 
  • Charities and small occupational pension schemes just pay the Tier 1 fee; 
  • Fee levels - these are between £40 and £2,900 based on number of staff and (for non-public bodies) turnover as well. There is a default position of Tier 3 unless and until you show the ICO otherwise; 
    • Tier 1 - micro organisations - cap of £632K turnover or 10 members of staff - £40 
    • Tier 2 - small and medium organisations - cap of £36M turnover or 250 members of staff - £60 
    • Tier 3 - if you exceed the caps in Tier 2 then the fee is £2,900. 
    • There's a £5 direct debit reduction. 
  • There is a monetary penalty (fine) for not registering - £4,350; 
  • The information about the Data Protection Officer (DPO) you may appoint under GDPR will also be collected though this, though this is not required by the new regulations - just convenience in this registration (though you would still have to for the GDPR anyway). Their name will be published if the DPO gives their consent.

The outline draft guidance can be found here. The regulations are called the Data Protection (Charges and Information) Regulations 2018.


This document is for informational purposes only and does not constitute legal advice. It is recommended that specific professional advice is sought before acting on any of the information given.