ICO new fees and registration rules for Data Controllers

In May 2018 the Data Protection Act 2018 introduced GDPR into UK law.  One of the many changes to data protection law was with regard to ICO registration and fees.  In this blog post we will explain how the new fee structure works and how it will impact your organisation.

The GDPR does not require registration (also known as notification) any more but the ICO can charge a fee and so it has set up a new fee regime/structure. In the UK the fee is only payable by data controllers unless they are exempt – the government is currently consulting on the proposed exemptions although they seem to be the same as before.

There are now 3 tiers of fees based on turnover and staff numbers as follows:

  • Tier 1 £40 –if you have a maximum turnover of £632,000 for your financial year orno more than 10 members of staff.
  • Tier 2 –£60 – maximum turnover of £36 million for your financial year orno more than 250 members of staff.
  • Tier 3 –£2,900 – everyone else

The ICO has stated that they will regard all controllers as eligible to pay the tier 3 fee in tier 3 unless and until the Data Controller tells them otherwise.

The maximum fine for not paying the fee or for paying the incorrect fee is now £4,350.

The new fees come into force immediately but if you have already paid, you won’t have to pay the new fee until you renew.

Aside from the level of the fee, the main difference is that controllers no longer have to give details of the types of processing they do. Rather a data controller just needs to tell the ICO:

  • The name and address of the controller 
  • Number of staff and turnover in the last financial year – as these will determine the fee level
  • The name and contact details of the:
    • person completing the registration process.
    • the relevant person for the ICO can contact (if not the above)
  • The data protection officer, if required by the GDPR (if neither of the above).

The ICO has confirmed it will publish the following:

  • the name and address of the controller;
  • the data protection registration number;
  • the level of fee paid;
  • the date the fee was paid and when it is due to expire;
  • any other trading names of the organisation; and
  • the name and contact details for the DPO, if they have consented to this.

If we can be of any assistance, contact us on 0161 952 4244 for more information.