While registering with the Information Commissioners Office (ICO) isn't required under the GDPR, the ICO will still charge a fee to data controllers, based on a 3-tier structure.
Registration and Fees with the ICO
Data Controllers must pay the Information Commissioner's Office (ICO) a fee every year unless one of the exemptions apply to them (see below).
If you paid a fee under the old legislation (Data Protection Act 1998) then you don’t need to pay the new fee until your existing registration ends. The ICO will assume that you must pay the Tier 3 fee until you provide them with information otherwise.
If you’re required to pay a fee, then there are three different tiers and these depend on the number of staff (which is an average across your financial year and includes all employees, workers and partners) that you have, your annual turnover and whether you are a public authority, charity or small occupational pension scheme.
Tier 1 fee of £40 – this applies if you have a maximum turnover of £632,000 for your financial year or you have no more than 10 members of staff.
Tier 2 fee of £60 – this applies if you have a maximum turnover of £36 million for your financial year or you have no more than 250 members of staff.
Tier 3 fee of £2,900 – if you don’t meet the criteria in Tier 1 or Tier 2 then you must pay the Tier 3 fee.
As explained above, data controllers must pay the ICO a fee unless one of the exemptions applies. A data controller does not need to pay the fee to the ICO if it’s processing personal data only for one or more of the following reasons:
Staff administration (i.e. for appointments, removals, remuneration, discipline and other personnel/staff matters);
Advertising, marketing and PR of your business' goods or services;
Accounts and records (i.e deciding whether to accept a customer or supplier and keeping records of your own transactions);
Personal, family or household affairs (i.e. not for commercial or business purposes);
Maintaining a public register;
Judicial functions (unlikely to apply);
Processing personal data without an automated system (such as without a computer).
If the data controller is processing personal data for any reason other than those set out above then it must pay the relevant fee to the ICO.
Remember, even though you’ll not need to register with the ICO, the accountability principle under the GDPR means you’ll need to show how you comply with the new legislation.
As our guide to the accountability principle under the GDPR explains, you’ll be expected to document details of the data you process in internal records and in your privacy notices.
Want to access this guide?
Already have a Farillio account? SIGN IN
Get unlimited access to 100s of legal resources by signing up to Farillio today.
- Manage your legal documents online
- Well written legal templates by our partners
- Guides to help you understand law
- Legal help available every step of the way