Table of Contents
In Short
- Most businesses that process personal data as controllers must register with the ICO and pay an annual data protection fee unless exempt.
- Fees increased by 29.8% on 17 February 2025, with small businesses now paying £52, medium businesses £78, and large businesses £3,763 annually.
- Non-payment can result in fines up to 150% of the highest tier fee and reputational damage, as the ICO maintains a public register.
Tips for Businesses
Check whether your business needs to pay the ICO fee using the self-assessment tool and ensure you renew your registration annually. Budget for the updated costs and pay by Direct Debit to receive a £5 discount. If your business structure changes, review your fee status to avoid underpayment and potential fines.
If your business processes personal data as a controller, you must register with the Information Commissioner’s Office (ICO) and pay a data protection fee unless an exemption applies. This fee funds the ICO’s regulatory work to ensure it can oversee and enforce data protection laws in the UK. Businesses obliged to pay the fee should budget accordingly to meet their legal requirements. This article will explore the criteria for paying the data protection fee and how much it costs so that small businesses acting as data controllers can better understand their obligations.
Who Needs to Pay the Data Protection Fee?
A business is a controller if it decides how to process personal data. Most businesses determining how and why personal data is processed must register and pay the fee unless an exemption applies. Suppose a business only processes data on behalf of another organisation and follows instructions without making decisions about its use. In that case, it acts as a processor and does not need to register. However, businesses operating as controllers and processors may still need to register.
Exemptions apply to specific organisations, but assuming your business qualifies without checking could create compliance risks. The best way to determine whether your company must register is to complete the ICO’s self-assessment tool. If you claim an exemption, keeping records explaining why you do not need to register is essential.
How Much Does An Organisation Need to Pay?
Parliament sets the ICO fee structure. Businesses are placed into tiers based on their annual turnover, number of staff, and organisation type.
Following a consultation, the government increased the fee levels by 29.8 per cent on 17 February 2025. The fees are based on what is appropriate given the risks posed by the relevant data processing. Businesses must now check whether they are paying the correct amount under the updated structure and plan for future costs.
As of 17 February 2025, micro-businesses and small organisations must pay £52 annually. This applies to businesses with a turnover under £632,000 or fewer than 10 staff. Medium-sized organisations must pay £78 per year. This applies to companies with a turnover under £36 million or fewer than 250 staff. Large organisations must pay £3,763 per year. This applies to businesses not meeting the above Tier 1 and Tier 2 thresholds.
This factsheet sets out how your business can become GDPR compliant.
However, businesses that pay by Direct Debit will be entitled to a £5 discount. Full information is available on the ICO’s website.
If unsure which fee applies to your business, you can complete the ICO’s fee self-assessment tool. It is essential to check your fee status where necessary, as changes in your business’s structure or financial position may affect how much you need to pay.
Continue reading this article below the formDoes an Organisation Need to Pay the Fee More Than Once?
The data protection fee covers 12 months. Businesses must ensure they renew their registration yearly and pay the relevant fee each year to remain compliant with this requirement.
If a business believes it no longer needs to pay, it should contact the ICO as soon as possible to inform them and explain the position. If you are unsure about whether you need to pay, it is better to seek classification rather than take on risk.
What are the Risks of Non-Payment of the Fee?
The ICO’s guidance explains that it will issue reminders if a business does not pay the fee. If a company ignores these and does not provide evidence of exemption, the ICO may issue a notice of intent. This will give the business a deadline to either pay the fee or provide proof that registration is not required.
If a business fails to respond or explain, it does not need to pay within 28 days of the payment deadline, the ICO may issue a fine of up to 150 per cent of the highest tier fee.
Failing to pay the fee and register can harm a business’s reputation and result in financial penalties. The ICO maintains a public register of all businesses that have paid the data protection fee, allowing customers, suppliers, and business partners to check whether an organisation is compliant. A business not listed on the register may raise concerns about its data protection practices.
To avoid fines and reputational harm, businesses should ensure they renew their registration on time and budget for any future increases in the fee.
Key Takeaways
The data protection fee funds the ICO’s regulatory work and is legally required for most businesses that process personal data as controllers. Following a government review, the fees increased on 17 February 2025, with a 29.8 per cent rise to ensure the ICO has adequate resources. Businesses should check their fee tier, plan for renewal, and budget for the updated costs.
If you need help understanding whether your business needs to pay the data protection fee, our experienced data, privacy and IT lawyers can assist as part of our LegalVision membership. For a low monthly fee, you will have unlimited access to lawyers to answer your questions and draft and review your documents. Call us today on 0808 196 8584 or visit our membership page.
Frequently Asked Questions
The data protection fee is a mandatory charge that funds the ICO’s work in enforcing and regulating data protection laws in the UK. It is a compulsory fee for certain types of businesses.
The government increased the data protection fees on 17 February 2025 following a consultation. The changes reflect a 29.8 per cent increase from the previous levels. The three-tier fee structure applies different rates for small, medium, and large organisations.
We appreciate your feedback – your submission has been successfully received.
