Outside view of RPC's transparent glass building.

The new data protection fee

Published on 09 August 2018

From 25 May 2018, as part of the revamp by the General Data Protection Regulation (GDPR), the Data Protection (Charges and Information) Regulations 2018 (the 2018 Regulations) came into force. Amongst other things, these regulations change the way the ICO fund their data protection work.


Under the 2018 Regulations, organisations that determine the purpose for which personal data is processed (controllers) must pay the ICO a data protection fee, unless they are exempt.  This new fee replaces the requirement to notify, or register, as was required by the Data Protection Act 1998. 

How much does it cost?    

The cost of the data protection fee depends on the size and turnover of the relevant controller.  There are three tiers of fee ranging from £40 to £2,900.  Tier 1 (£40) is for micro organisations – meaning those companies with a maximum turnover of £632,000 per financial year or who have no more than 10 members of staff.  Tier 2 (£60) is for small and medium organisations – meaning those with a maximum turnover of £36m per financial year or no more than 250 members of staff.  Tier 3 (£2,900) is for large organisations who sit outside Tier 1 or Tier 2. 

The fee is always VAT: nil.  The data protection fee must be paid every 12 months.  Some organisations will only pay £40 regardless of their size and turnover.  These are:

  • charities;
  • small occupational pension schemes; and
  • organisations that have been in existence for less than one month.

There is a fee-assessment tool to assist users with how much they need to pay, which is available here.

The ICO will publish details of all controllers who pay the data protection fee on the data protection register, which is available on the ICO website.  Although the 2018 Regulations came into effect on 25 May 2018, controllers who have a current notification or registration under the Data Protection Act 1998 do not have to pay the new fee until that registration has expired. 

Who is exempt?

Not all controllers have to pay a fee, as there are exemptions.  There is no requirement to pay a fee if you are processing personal data only for one (or more) or the following purposes:

  • staff administration;
  • advertising, marketing and public relations;
  • accounts and records;
  • not-for-profit purposes;
  • personal, family or household affairs;
  • maintaining a public register;
  • judicial functions; and
  • processing personal information without an automated system such as a computer.

The ICO provides questions and answers as to whether there is a need to pay the data protection fee.  Even if a controller is exempt from paying a fee, they still need to comply with the other data protection obligations. 

Why is this important?

The ICO has the power to enforce the 2018 Regulations and to serve monetary penalties on those who refuse to pay their data protection fee, or for those who have not paid the correct fee.  The maximum penalty is £4,350 (150% of the top tier fee). 

Any practical tips?

First, work out whether your business is exempt from the new data protection fee.  Then work out which tier you fall into and when you will need to pay.  Remember that if you are liable to pay the fee, this only kicks in once any existing registration under the old Data Protection Act 1998 has expired.