Exemptions From the Data Protection Fee: What Small Businesses Need to Know

Managing costs often feels overwhelming for small businesses. From employee wages to marketing expenses, every pound matters. However, data protection fees are a cost that many companies need to pay. The ICO requires many businesses that handle personal data to pay this annual data protection fee. Some businesses qualify for exemptions, but this depends on their specific data-processing activities. Exemptions are narrowly defined, so companies must apply them carefully and correctly. This article explores the ICO fee, how exemptions work, and when businesses must register.

What Should I Know About Exemptions?

If your business processes personal data, such as customer details, employee records, or marketing lists, you must follow data protection laws, including the UK GDPR. Personal data can include information such as names, addresses, email addresses, and payment details. 

The law requires most data controllers to pay an annual data protection fee. Unless you qualify for an exemption, you must pay the fee if your business processes personal data as a controller. 

Exemptions apply if you process personal data only for specific purposes, such as staff administration, advertising, marketing and public relations for yourself (or your own business), accounts and records, not-for-profit purposes, personal, family, or household affairs, maintaining a public register, judicial functions, or processing information without automated systems such as computers. While these are examples, you should consult the full ICO guidance and check it from time to time should you seek to rely on an exemption. 

However, you should note that you will likely need to pay the fee if you use CCTV for non-domestic purposes, such as crime prevention or security. 

The ICO recommends documenting your decision if you believe your business is exempt and reviewing this decision regularly to ensure continued compliance.

Do Exempt Businesses Still Need to Follow Data Protection Laws?

Exempt businesses remain responsible for complying with data protection laws to the extent that they process personal data. Exemptions will only remove the requirement to pay the ICO fee. Businesses must still follow data protection law rules, including the need to process personal data lawfully, fairly, and transparently. 

What Happens if Your Business Does Not Pay the Fee When You Need To?

The ICO issues reminders to businesses that fail to pay the fee. If you continue to ignore this, the ICO may send a notice of intent, following which you will have a period to pay or make representations. You can learn more about these periods in the ICO’s guidance.

Customers, partners, and other stakeholders may view non-compliance as a lack of accountability, which could damage trust and business relationships.

Can Businesses Voluntarily Register if Exempt?

The ICO allows exempt businesses to pay the fee voluntarily. Companies may choose to register to appear on the ICO’s public register of data protection fee payers. This listing can demonstrate accountability and transparency, reassuring customers and partners about a company’s commitment to protecting personal data.

Businesses may also choose to pay the fee to avoid potential fines if they mistakenly misapply exemptions or their circumstances change. The ICO calculates the cost based on size and turnover, with small businesses typically paying the lower-tier fee of £40. For some, paying the fee proactively provides peace of mind rather than risking getting this wrong.

How Can Businesses Verify Their Exemption Status?

Your business can use the ICO’s registration self-assessment tool to confirm whether your business qualifies for an exemption. However, you should always document and review your decision regularly – as your processing activities may change over time. If you have any doubts, you can contact the ICO directly for advice tailored to your situation. If you do so, keep written records of any advice to show your cautious approach in case anyone questions your exemption status. 

When you are unsure, paying the fee may help you feel more comfortable and reduce risks, but it is advisable to check with the ICO or seek legal advice for certainty. 

Key Takeaways

The ICO requires data controllers to pay the data protection fee unless specific exemptions apply. Most businesses will need to pay, but exemptions exist for narrowly defined purposes. Even exempt businesses must comply fully with data protection laws to the extent that they process personal data. Failing to pay the fee when required could lead to significant fines and reputational damage. To ensure compliance, you can use the ICO’s self-assessment tool and document your decisions carefully. If you feel uncertain, you may contact the ICO or consider paying the fee to avoid risks. Taking a cautious and thorough approach can help you ensure compliance and prevent risk. 

If you need help navigating the data protection fee requirements, our experienced Data, Privacy, and IT lawyers can assist. With a LegalVision membership, you gain unlimited access to legal advice, document drafting, and reviews for a low monthly fee. Call us today on 0808 196 8584 or visit our membership page for more information.

Frequently Asked Questions