Skip to content
LegalVision UK

What is the ICO Data Protection Fee, and Does My Company in England Have to Pay It?

Avatar photo

By Thomas Sutherland

Updated on
Reading time: 5 minutes

Meets editorial guidelines

This article meets our strict editorial principles. Our lawyers, experienced writers and legally trained editorial team put every effort into ensuring the information published on our website is accurate. We encourage you to seek independent legal advice. Learn more.

Follow us on LinkedIn
Table of Contents

Running a company is an expensive and time-consuming business. It can be challenging to keep up with the various licences, subscriptions and fees payable to other organisations. In this way, many business owners mistakenly fail to pay the ICO’s annual data protection fee, risking an ICO fine. This article will explore whether your business is liable to pay the annual data protection fee and, if so, the risk to your organisation of failing to do so.

What is the ICO?

The Information Commissioner’s Office (ICO) is an independent body set up to police data protection law, including the General Data Protection Regulation (GDPR), and issue fines for non-compliance. One of the aims of the ICO is to provide businesses in England with sufficient guidance, both through online written guidance and a telephone helpline, to help them comply with our data protection law.  However, because this is an expensive mission to fund, the ICO charges a data protection fee to organisations in England.

What is the ICO Data Protection Fee?

The Data Protection Act 2018 mandates that organisations in England that process personal information must pay a data protection fee to the ICO unless they are exempt.

Processing personal data refers to your organisation handling or storing information which can identify an individual. For example, this may include recording their:

  • full name;
  • postal address;
  • telephone number; or 
  • date of birth.
Continue reading this article below the form
Need legal advice?
Call 0808 196 8584 for urgent assistance.
Otherwise, complete this form and we will contact you within one business day.

How Can I Find Out if My Business Needs to Pay?

The ICO have a helpful online tool which can quickly determine you find out whether your organisation comes under the duty to pay a data protection fee. If your business uses CCTV for crime prevention, you will likely have to pay the fee.

It is helpful to note that the ICO classes the use of a dashcam within a vehicle used for work or commuting as CCTV, which would also create an automatic obligation to pay a data protection fee.

How Much is the Data Protection Fee?

The ICO provides three tiers of fees depending on the size of your organisation. These tiers are as follows:

  • Micro organisations (no more than ten members of staff and turnover of less than £632,000 per financial year);
  • Small and medium organisations (no more than 250 members of staff and turnover of less than £36 million per financial year); and
  • Large organisations (more than 250 members of staff or turnover of more than £36 million).

Using the ICO’s definitions, micro organisations must pay £40 per year, small and medium organisations pay £60 per year, and large organisations pay £2,900 per year.

These figures are accurate as of 2022 and are subject to change.

What Happens if My Business Fails to Pay?

The ICO may fine organisations that fail to pay a data protection fee.

Their website confirms that they issued 126 financial penalties to organisations for failure to pay the data protection fee within a seven-month period between 2021 and 2022.

Currently, the ICO can award fines of up to £4,000 for non-payment. Given that most businesses in England will only be liable to pay £40 or £60 per year, this is a hefty penalty.

How Can My Business Pay?

The easiest method is to visit the ICO website and make an electronic payment there. The ICO currently deduct £5 from your company’s annual data protection fee for setting up a direct debit arrangement. Your organisation’s data controller is generally responsible for paying the fee. However, there is no reason why a Director, CEO, COO or owner cannot pay from company funds instead.

Key Takeaways

In summary, most businesses in England must pay a data protection fee. Businesses that fail to pay their data protection fee risk a financial penalty far in excess of the relevant price. Given the electronic nature of business in England, it will be relatively rare for any company to argue that they do not process personal data. Rather, absent the ICO’s online self-assessment tool stating otherwise, organisations in England are likely to owe an annual data protection fee to the ICO. 

If you need help complying with the ICO data protection fee, our experienced Data, Privacy and IT lawyers can assist as part of our LegalVision membership. For a low monthly fee, you will have unlimited access to lawyers to answer your questions and draft and review your documents. Call us today on 0808 196 8584 or visit our membership page

Frequently Asked Questions

Why do small businesses have to pay the data protection fee?

The ICO believes that it is essential for all businesses, from sole traders to global corporations, to handle personal data safely. Therefore, it believes all relevant organisations should pay an annual fee. Nevertheless, smaller organisations pay a substantially smaller fee. 

How long does it take to pay the fee online?

The ICO believe businesses can complete the fee-paying process within 15 minutes, so it is not a hassle. Companies receive a £5 deduction for setting up a direct debit arrangement. 

Register for our free webinars

How to Recover Unpaid Debts from Customers and Suppliers

Online
Struggling with unpaid debts? Discover your options. Register for our free webinar today.
Register Now

Preventing Employee Competitors: How to Protect Your Business

Online
Learn how to protect your business from employee competitors. Register for our free webinar today.
Register Now

Protecting and Enforcing Your Brand

Online
Protect your brand from misuse and infringement. Register for our free webinar.
Register Now

Deal Structures 101: Understanding Equity, ASAs and Convertible Notes

Online
As a startup founder, understand your capital raising options. Register for our free webinar today.
Register Now
See more webinars >
Thomas Sutherland

Thomas Sutherland

Read all articles by Thomas

About LegalVision

LegalVision is an innovative commercial law firm that provides businesses with affordable, unlimited and ongoing legal assistance through our membership. We operate in Australia, the United Kingdom and New Zealand.

Learn more

Related articles

4 Common Challenges Your Company Will Face With the GDPR in the UK

Five GDPR-Related Cybersecurity Mistakes Business Owners Make in the UK

How Does GDPR Affect My Business?

When Could Your Business Face a Fine From the ICO for Breaching the GDPR in the UK?

We’re an award-winning law firm

  • Award

    2024 Law Company of the Year Finalist - The Lawyer Awards

  • Award

    2024 Law Firm of the Year Finalist - Modern Law Private Client Awards

  • Award

    2023 Economic Innovator of the Year Finalist - The Spectator

  • Award

    2023 Law Company of the Year Finalist - The Lawyer Awards

  • Award

    2023 Future of Legal Services Innovation - Legal Innovation Awards