GDPR update: No longer a requirement to notify with the ICO...but a fee hike above the rate of inflation

Together we are Forbes


06 March, 2018

Dan Crayford

As of 25 May 2018, the fees that data controllers pay to the ICO are changing.

A data controller is the legal person or body which determines the purposes and means of the processing of personal data.

Essentially this means that they are the person responsible for making decisions about why personal data is processed and how it is done in an organisation.

The ICO published its guidance on the data protection fee on 21 February 2018.

How much will I be required to pay under the new regime?

There will now be three tiers of fee which will be determined principally on your number of employees and annual turnover.

Turnover Numbers of Staff Fee
Tier 1 - Micro Organisation £632,000 10 £40
Tier 2 - Small and Medium Organisations £36 million 250 £60
Tier 3 - Large Organisations Above Tier 2 Above Tier 2 £2,900

Importantly, the ICO will regard all data controllers as Tier 3 unless you notify them and provide evidence that you fall within a different category - so if you do not fall within that tier then remember to inform the ICO immediately.

It will be large organisations that will feel the biggest impact of these changes; with a rise from £500 to £2,900 annually.

It has been acknowledged that this is an above-inflation increase however the government have argued that this higher fee is necessary to "reflect the increased level of information risk inherent in this category of data controllers".

One thing to be mindful of is that the new fee does not need to be paid on 1 April 2018, rather it only needs to be paid when your existing notification fee expires. You will be contacted by the ICO before the expiry who will give further details of how to pay the fee.

Do I fall within an exception or exemption?

If you are a public authority, charity or small occupational pension scheme then a reduced fee is payable.

Further you do not need to pay a fee if you are processing personal data solely for staff administration, advertising or not for profit purposes.

What happens if I do not pay the fee?

If you do not pay the fee or fail to pay the correct fee the maximum penalty is a £4,350 fine. However, one positive is that with the new changes there will no longer be any criminal sanctions for failure to pay.

If you would like some further guidance or information on whether you fall within an exception or exemption feel free to get in touch with me at or on 01254 222451. We offer a range of fixed fee GDPR support services and would be happy to discuss how we can assist you with your preparations for May 2018.

Learn more about our Commercial department here

Winner Winner (No) Chicken Dinner - KFC and Supply Contracts

Court of Appeal finds QOCS applies to Defendants Added to Claim…

Contact Us

Get in touch to see how our experts could help you.

Call0800 689 3206

CallRequest a call back

EmailSend us an email

Contacting Us

Monday to Friday:
09:00 to 17:00

Saturday and Sunday: