From 25 May 2018, the Data Protection (Charges and Information) Regulations 2018 required every organisation or sole trader who processes personal information to pay a data protection fee to the Information Commissioners Office (ICO), unless they are exempt. The new data protection fee replaces the previous requirement to ‘notify’ (or register) with the ICO. For most organisations the fee remains unchanged at £35 a year if paid by direct debit.
Make sure you pay your fee to the ICO when it becomes due, as since September 2018, the ICO (Information Commissioners Office) has issued 900 notices of intent to fine to organisations, including GP practices, for non-payment of their registration fee and last month, the ICO also issued the first 100 penalty notices.
If you do not pay then the ICO fine can range from £400 to £4,350. ICO fines are tiered to reflect the size of individual organisations, ie, organisations in the lowest tier (turnover of up to £630,000 or up to 10 employees) can be fined £400 for failing to pay their annual fee. Organisations in the next tier up (turnover of up to £36m or up to 250 employees) can face a £600 fine for failing to pay their annual fee.
The ICO has taken a strong line on non compliance by organisations, stating: “You are breaking the law if you process personal data or are responsible for processing it and do not pay the data protection fee to the ICO”.
It is also worth noting that at the time of paying your registration fee you will need to provide details of your DPO (Data Protection Officer).
Further information is available on the ICO website.
Last updated : 17 Dec 2018