March 22, 2019

March 21, 2019

Subscribe to Latest Legal News and Analysis

March 20, 2019

Subscribe to Latest Legal News and Analysis

March 19, 2019

Subscribe to Latest Legal News and Analysis

The Data Protection Fee – ICO fees under the GDPR

The obligation on controllers to pay a fee will remain in place following the implementation of the General Data Protection Regulation, the GDPR, on 25 May 2018. The fees act as the main source of funding for the UK’s data protection supervisory authority, the Information Commissioner’s Office (the ‘ICO’). The Government, which has a statutory duty to ensure the ICO is adequately funded, has proposed a new funding structure based on the relative risk to the data processed by organisations.

On 20 February 2018, the new fee structure was laid before Parliament as a Statutory Instrument and will come into effect on 25 May 2018 to coincide with the enforcement date of the GDPR. The new funding structure proposed by the Government has three tiers and is based on a number of factors including size, turnover and whether the organisation is a public authority or a charity. The fees are:

  • Tier 1 – Micro organisations. Maximum turnover of £632,000 or no more than 10 members of staff. Fee: £40 (or £35 if paid by direct debit)
  • Tier 2 – SMEs. Maximum turnover of £36 million or no more than 250 members of staff. Fee: £60
  • Tier 3 – Large organisations. Those not meeting the criteria of Tiers 1 or 2. Fee: £2,900

There are certain exceptions for some controllers. For example, public authorities need not consider turnover, categorising themselves solely on staff numbers. In addition, charities and small occupational pension schemes, that not otherwise subject to an exemption, will only be liable for the tier 1 fee.

If a controller processing personal data or responsible for the processing of personal data fails to pay the required fee, or fails to pay the correct feet they will be considered to be breaking the law and may be subject to a financial penalty. The maximum penalty is a £4,350 fine, this is 150% of the tier 3 fee.  The revenue raised by the imposition of fines will continue to be passed to the UK Government.

Until 25 May 2018, organisations are legally required to pay the current notification fee unless they are exempt. Controllers will not have to pay any other fee until their current notification fee has expired (12 months from the day they made it).

Article written by Bethany Bradley. 

© Copyright 2019 Squire Patton Boggs (US) LLP


About this Author

We employ a comprehensive approach when it comes to our International Trade practice. We focus on global import and export compliance, international trade policy and market access and trade remedies/defense. Our lawyers practice international trade law in almost every country where we have an office, and our full-time practitioners operate out of our Washington DC, London and Brussels offices.

We offer a “one-stop” service encompassing international trade compliance and policy acumen to make necessary judgments while operating effectively in a...