What is an ICO registration and what is a data protection fee?

Have you got questions about the General Data Protection Regulation (GDPR), which came into force on 25 May 2018? Are people in your business asking “what is an ICO registration” or “what is a data protection fee”? To answer those questions and more, we have put some answers together to help your business prepare for the new legislation.

What is the ICO?

The ICO stands for the Information Commissioner’s Office. The ICO is the UK’s independent body that has been set up to uphold information rights in the public interest, promoting openness by public bodies and data privacy for individuals.

The current UK Information Commissioner is Elizabeth Denham. She was appointed to that position in July 2016. Her past roles include Information and Privacy Commissioner for British Columbia, Canada and Assistant Privacy Commissioner of Canada.

The ICO has offices across the UK. The head office is in Wilmslow, Cheshire, and there are other offices in Edinburgh, Cardiff and Belfast.

What is a data protection fee?

A data protection fee is a cost that businesses and organisations will have to pay to the ICO now the GDPR has come into effect. These are new fees in light of GDPR (which at the time of writing haven’t yet been confirmed – see below for more details). The money funds the data protection work that is carried out by the ICO and it includes the work carried out under the GDPR.

There are three tiers of fees and data controllers (those who process personal data) will have to pay between £40 and £2,900 a year.

Under the previous situation, the Data Protection Act 1998 required businesses that collect personal data to pay an annual registration fee to the ICO of £35 (small and medium businesses) or £500 (large businesses and public-sector organisations with 250 or more staff and a turnover of at least £25.9m).

This was discontinued under GDPR. But the ICO announced it would continue to charge data collectors a fee – the data protection fee.

How much does my business need to pay the ICO?

The size of your business will determine how much you have to pay each year. There are three payment tiers that you need to be aware of (it is a new fee structure to coincide with GDPR).

The tier your business falls into will depend on a number of factors, such the number of employees you have, what your firm’s annual turnover is, and whether you are a public authority or charity.

Here are the three tiers and the associated annual costs:

Tier 1: Micro organisations

• Maximum turnover of £632,000 for the financial year or no more than 10 members of staff
• Fee: £40

Tier 2: Small and medium-sized organisations

• Maximum turnover of £36m for the financial year or no more than 250 members of staff
• Fee: £60

Tier 3: Large organisations

• Organisations that exceed the figures stated in Tier 1 and Tier 2
• Fee: £2,900

In terms of exceptions, charities pay £40 regardless of size or turnover, public authorities only need to go by staff numbers, and if you pay by direct debit you get £5 off the fee.

There are a number of exemptions. You don’t need to pay a fee if you are processing personal data only for one or more of the following: staff administration; judicial functions; maintaining a personal register; accounts and records; not-for-profit purposes; advertising, marketing and PR; personal, family or household affairs; processing personal information without an automated system such as a computer.

If your business isn’t exempt and either fails pay a fee or pays the incorrect fee, it is breaking the law. The maximum penalty it will receive is a £4,350 fine, which is 150% of the Tier 3 fee.

Note: these figures are based on a draft version of the ICO’s 2018 Regulations and at the time of publishing, they are yet to be approved by Parliament, so they could change.

When does my business need to pay the new fee?

GDPR came into force on 25 May 2018 but that didn’t mean businesses and organisations had to pay the fee on that day. If your business has a current registration (or notification) under the Data Protection Act 1998, then you won’t have to make a payment until your registration has expired.

However, for those businesses (and controllers) that don’t have a current registration, and aren’t exempt, you would need to have paid the new fee by 25 May 2018, when GDPR became active.

What is an ICO registration?

As part of the Data Protection Act 1998, every data controller who was processing personal information had to register with the ICO. However, if your business was exempt, you didn’t need to register. The ICO had a registration self-assessment tool on its website that would help you to determine whether you needed to register or if you were exempt from doing so.

However, this requirement will end when the new data protection fee comes into force.

Three things your business should do now

Our Sage Business Experts shared some useful tips on how they prepared for the GDPR. Here’s what they had to say and how they can help you:

Nicky Larkin, founder and managing director of Goringe Accountants: “Check to see if you are part of a professional body or a sector body. Check with them to see if they’ve got some good GDPR preparation shortcuts for your particular sector.”

Keith Tully, a partner at Real Business Rescue: “Speak to your legal representation – they will be able to help you with policies and ensure you are compliant from a legal standing.”

Alison Parsons, an accountant at accountancy firm Albert Goodman: “Don’t wait! If you haven’t started preparing, check the ICO’s 12-step guide, detailing the rights that every individual will have under the new regulations.”

Three articles you should read now to manage the GDPR

We have written a series of articles that will help you and your business to manage the GDPR and your processes.

• A guide for small businesses

• A GDPR checklist

• What employers need to know