Data Protection Fees

On 25 May 2018, the Data Protection Act 2018 came into force, incorporating the EU General Data Protection Regulation, ushering in a new era of personal data regulation in the UK.

At the same time, the Data Protection (Charges and Information) Regulations 2018 changed the way the Information Commissioner's Office (ICO) funds its data protection work. Individuals and organisations that process personal data must pay a data protection fee, unless they are exempt from doing so. The level of the fee payable depends on the size of the business.

Under the Data Protection Act 1998, data controllers were required to notify or register with the ICO, unless they were exempt. Registration lasted for a year and usually cost £35.

Data controllers who had a current registration or notification under the 1998 Act as at 25 May 2018 were exempt from paying the new fee until its expiry – i.e. 12 months after registration or notification. As the anniversary of the introduction of the new data protection regime approaches, the last of those still operating under the old rules who are not exempt under the new requirements will have to pay the fee.

Data controllers are advised to check that they are fulfilling their obligations under the new regime.

Frequently Asked Questions on the data protection fee can be found on the ICO's website.There is also a self-assessment questionnaire to help those starting up in business, or those whose current registration or notification has expired, determine whether or not they are required to pay the fee.

The penalty for failing to pay the fee is a fine of up to £4,350.