The ICO protection fee – what business owners need to know

If you’re the owner of a limited company, sooner or later you’re going to receive a letter from the Information Commissioner’s Office (ICO) relating to registering with them and paying a data protection fee.

This will probably raise a few questions. Is it legitimate? Who are the ICO? What is the data protection fee? Do I need to pay it?

In this post, we’re going to tackle all of these questions and more. Let’s get started.

The Information Commissioner’s Office – who are they and what do they do?

The ICO is an independent body that regulates data protection in the UK.

In their own words, their ‘primary role is to help businesses handle personal data legally and in a way that makes good business sense.’

They do this by:

• Providing advice and guidance
• Promoting good practice
• Monitoring breach reports
• Conducting audits
• Looking into complaints
• Taking enforcement action when necessary

As this indicates, the ICO is indeed legitimate, and you need to act accordingly as and when you do receive a letter from them.

The General Data Protection Regulation and the Data Protection Act 2018

You can’t discuss the ICO without also mentioning the General Data Protection Regulation, or as it’s more commonly known, GDPR.

Introduced in 2018, GDPR is essentially a set of data protection rules that sets limits on what organisations can and can’t do with personal data. In the UK, GDPR was implemented via the Data Protection Act 2018.

The ICO is there to safeguard these rules and regulations.

The data protection fee

The data protection fee is an annual fee paid by businesses that electronically process personal data (‘electronically’ simply means with a computer, tablet or other electrical devices).

See also: The limited company dates that you need to know about See also: An introduction to the annual confirmation statement See also: How do I send annual accounts to Companies House?

The fee ranges from £35 and goes up to £2,900 – and depends on a number of factors, including how large your team is and your business’s annual turnover.

The payment tiers are as follows:

Tier 1

If your business has 10 employees or less, or your annual turnover is no more than £632,000 – you will need to pay £40 (or £35 if you pay via direct debit).

Tier 2

If your business has 250 employees or less, or your annual turnover is no more than £36 million – you will need to pay £60 (or £55 if you pay via direct debit).

Tier 3

If neither of the above applies to your business – you will need to pay £2,900 (or £2,895 if you pay via direct debit).

Failure to pay the data protection fee (or paying the incorrect fee) is a criminal offence and can result in a fine of up to £4,350.

There is no set deadline attached to paying the data protection fee. However, we recommend paying the fee as soon your business qualifies to pay it (this being, as soon as your start processing personal data). The ICO will send out regular letters to your company’s registered office, notifying you of this obligation.

What is personal data?

Personal data is defined by the ICO as ‘any detail about a living individual that can be used on its own, or with other data, to identify them.’

This includes data related to a person’s:

• Name
• Location
• Date of birth
• Physical background
• Mental background
• Economic background
• Cultural background

The list of what can be considered personal data is extensive. Because of this, we recommend taking a look at the ICO’s guidance on what is and isn’t deemed ‘personal data’.

What does it mean to ‘process’ personal data?

All of the below activities could be described as ‘processing’:

• altering
• collecting
• erasing
• organising
• recording
• retrieving
• storing

If you’re doing any of these using an electronic device, you probably need to pay the data protection fee.

CCTV and the data protection fee

As well as the processing activities mentioned above, if your business is using CCTV for crime prevention purposes, on its premises or in a vehicle, you will need to pay the data protection fee (unless you are exempt).

This does not include using CCTV in or around your home.

Who is exempt from paying the data protection fee?

You do not need to pay the data protection fee if your business is only processing data for any of the reasons set out below:

• Accounts and records
• Advertising, marketing, and public relations
• Judicial functions
• Maintaining a public register
• Not-for-profit purposes
• Staff administration

You are also exempt if you are processing personal data but not electronically if you are a member of the House of Lords, or if you are only processing data for personal, family, or household affairs.

If you are exempt, you can notify the ICO of this by completing this short ‘Exemptions form’. This is, however, optional.

Do you need to pay?

The ICO’s ‘Registration self-assessment’ online questionnaire can tell you if you need to register and pay the fee in a matter of minutes.

All you need to do is answer a series of yes/no questions about how and why your business handles data. At the end of the process, you will be immediately notified of whether or not you need to pay the fee.

Why you should pay

Firstly, unless you are exempt, it is a legal requirement. If you don’t pay the fee, you could receive a large fine and have your name added to the ICO’s ‘Penalty notices’ page. This is a page where non-exempt businesses that have not paid the fee are, essentially, publicly shamed.

Secondly, by paying the data protection fee – you are highlighting to your customers and other business contacts that you are diligent and take your responsibilities pertaining to data seriously. Businesses that pay the fee are given an ICO Registration Number that they are able to show on their website. What’s more, their names are added to the ‘Register of fee payers’.

Paying the data protection fee

If you need to pay the data protection fee, you can do this directly through the ICO website.

Alternatively, we offer a dedicated ICO Registration Service service for only £79.99 (this includes the data protection fee), whereby a Rapid Formations company expert can take all the hassle out of the registration and payment process. All you need to do is provide us with some basic information about your business – we’ll then take care of the rest.

Typically, registration takes ten days from when you provide the necessary information. We’ll then send you your ICO Registration Number and ICO Registration Certificate by email.

If you are an existing Rapid Formations customer, you can purchase the service by following the below steps:

• Log in to your Online Client Portal
• Select ‘My Companies’
• Click on your company name
• Click on the ‘Shop’ tab
• Locate the ICO Registration Service and select ‘Add’
• Select ‘View Cart’ and complete the payment process

You will then receive an email with your online questionnaire and further instructions.

Not a Rapid Formations customer? Not a problem. You can still purchase the service by calling on us at 020 7871 9990. We’ll then process your order over the phone.

Thanks for reading

Understanding the ICO and the associated data protection fee is crucial for businesses that handle personal data. Not only does it ensure compliance with GDPR regulations, but it also demonstrates a commitment to data protection and building trust with customers.

As highlighted, if you’re not exempt, failure to pay the fee can result in significant fines and damage to a company’s reputation.

We hope you have found this post helpful. Please leave a comment if you have any questions.