ICO Issues Fines for Failure to Pay the Data Protection Fee

On 26 September 2018, the ICO reported that it had begun formal enforcement action against 34 organisations that have failed to pay the new data protection fee. These organisations span across many sectors, including the NHS, recruitment, finance, government and accounting. Of note, the ICO has stated that more notices are currently being drafted and will be sent out in the immediate future.

Paul Arnold, Deputy Chief Executive Officer at the ICO, said:

”We expect the notices we have issued to serve as a final demand to organisations and that they will pay before we proceed to a fine. But we will not hesitate to use our powers if necessary. All organisations that are required to pay the data protection fee must prioritise payment or risk getting a formal letter from us outlining enforcement action.”

Failure to pay the data protection fee is now a civil offence under the GDPR, previously this was a criminal offence under the Data Protection Act 1998. Affected organisations have 21 days to respond and if they pay the registration fee then the action will stop.

The data protection fee is tiered, depending on the size of your organisation, as below:

Tier 1 – micro organisations. Maximum turnover of £632,000 or no more than ten members of staff.       Fee: £40

Tier 2 – SMEs. Maximum turnover of £36million or no more than 250 members of staff.                           Fee: £60

Tier 3 – large organisations. Those not meeting the criteria of Tiers 1 or 2.                                                Fee: £2,900.


For those who ignore the notices, the fines for non-compliance are up to £4,350, taking into account any aggravating factors.

These enforcement notices should be a reminder to organisations of all sizes, and working in all areas, that they should be aware of their obligations under data protection legislation. The ICO’s policy is to publish all notices that it issues, and so reputation damage will accompany the fine for not paying the data protection fee – don’t let it be you!

Forbes Solicitors regularly advise a range of businesses on data protection law including compliance with the GDPR, DPA and PECR and preparing for the ePrivacy Regulation including providing training.  We offer a range of fixed fee and retainer-based Data Protection Support services and would be happy to discuss how we can assist you with your preparations with the aim of helping to minimise the occurrence of breaches, and in the event of a breach help to mitigate any resulting risks. If you have any questions, please contact me on 01254 222451 or at dan.crayford@forbessolicitors.co.uk.

Dan Crayford

About Dan Crayford

Dan joined Forbes in 2014, gaining experience in complex insurance litigation which involved advising clients in the construction and public sectors. In early 2017, Dan joined the Commercial team and moved to specialise in advising clients in the public, quasi-public and third sectors, predominantly in the fields of construction, procurement, social housing regulation, and education governance. Dan has a particular interest in contracts and procurement law, with a focus on advising registered providers of social housing, educational institutions, and other public and charitable organisations. Dan has worked with a range of clients in these sectors including registered providers of social housing of all sizes, maintained schools to MATs, other charities and community entities including CIOs, and CICs. Dan also regularly advises organisations from all sectors on data protection and freedom of information matters, including GDPR, PECR, and Environmental Information Regulations.
This entry was posted in GDPR and tagged , , , , .