ICO fee and registration changes next year

By Paul Arnold, Deputy Chief Executive.

ICO fee and registration changes next yearAs we count down to the General Data Protection Regulation (GDPR) taking effect next May, we wanted to clarify how the fees that data controllers have to pay to the ICO are changing.

Under the current Data Protection Act (DPA), organisations that process personal information are required to notify with the ICO as data controllers (unless an exemption applies). This involves explaining what personal data they collect and what they do with it. They are also required to pay us a notification fee, based on their size, of either £35 or £500.  These fees are used to fund most of the ICO’s work.

When the new data protection legislation comes into effect next year there will no longer be a requirement to notify the ICO in the same way. However, a provision in the Digital Economy Act means it will remain a legal requirement for data controllers to pay the ICO a data protection fee. These fees will be used to fund the ICO’s data protection work. As now, any money the ICO receives in fines will be passed directly back to the Government.

How much will data controllers have to pay?

The Digital Economy Act paves the way for a new funding system for the ICO. The amount of the data protection fee is being developed by the ICO’s sponsoring department, the Department for Digital, Culture, Media and Sport (DCMS) in consultation with the ICO and representatives of those likely to be affected by the change. The final fees will be approved by Parliament.

The new system will aim to make sure the fees are fair and reflect the relative risk of the organisation’s processing of personal data. The size of the data protection fee will still be based on the organisation’s size and turnover and will also take into account the amount of personal data it is processing.

The current draft proposal is a three tier system, which will differentiate between small and big organisations and also how much personal data an organisation is processing. The aim is to keep the system as simple as possible, so that organisations will easily be able to categorise themselves.

We expect to know more by the end of the year and will communicate to data controllers once we do.

When will the new data protection fee system start?

The new model will go live on 1 April 2018.

I’m due to renew shortly, should I still go ahead with this?

Organisations should continue to renew their notification as usual and it is still a criminal offence to not notify if an organisation needs to. Once we know more about the new fees, we will be telling all organisations about the changes and what they need to do. So, until the new fees come in, it is very much business as usual – so no excuses for not notifying!

I have recently renewed, will I have to pay again in April?

We expect that under the new data protection fee regime payments made during the 2017/18 financial year under the current system will run for a full year. This would mean that organisations which pay their annual notification fee at any point during this time will not need to pay the new fee until their notification under the old model would otherwise expire.

Will there still be exemptions under the new fee model?

Yes, what these exemptions will be has yet to be confirmed by DCMS but we expect them to be similar to those under the current regime.

I’m already registered with the ICO, how will I know when the system changes?

We will be informing people in the reminder paperwork we send them about renewal. Next year we’ll make clear to those due to renew from April that they will be under the new regime and we’ll include everything they need to know to make the process go smoothly.

Update 31/10/2017 – We are now able to share the fee ranges used by DCMS in their recent consultation about future ICO fees.

Tier 1: Small and medium firms that do not process large volumes of data Staff headcount below 250; and
Turnover below £50M pa; and
Number of records processed under 10,000
*Public Authorities should categorise themselves according to staff headcount and number of records only.
Tier 2: Small and medium firms that process large volumes of data Staff headcount below 250; and
Turnover below £50M pa; and
Number of records processed above 10,000
*Public Authorities should categorise themselves according to staff headcount and number of records only.
Tier 3: Large businesses Staff headcount above 250; and
Turnover above £50M pa
*Public Authorities should categorise themselves according to staff headcount and number of records only.
Direct marketing top up Organisations that carry out electronic marketing activities as part of their business.

The proposed amounts are:

Tier 1: annual fee of up to £55
Tier 2: annual fee of up to £80
Tier 3: annual fee of up to £1000
Direct marketing top up fee of £20

The consultation was carried out by DCMS through a third party, using organisations who had responded to previous ICO research. In 2015, the ICO used a third party to conduct initial research about its funding structure. The contractors of the survey were provided with a sample of 10% of the ICO’s register including all top fee payers and a random sample of lower fee payers.  This equated to approximately 40,000 organisations, who were then contacted and around 2,000 responded. The sample for this consultation was the circa 2,000 organisations that responded to the previous research. Just over 300 of these data controllers contributed to the latest consultation.

DCMS is now reflecting on the responses to the consultation before developing the fee regulations needed to underpin the ICO’s future funding arrangements.

Paul ArnoldPaul Arnold leads departments responsible for IT, Information Governance, Business Development and Change Management, Organisation Development and Customer Contact.
This entry was posted in Paul Arnold and tagged , , , , , . Bookmark the permalink.

46 Responses to ICO fee and registration changes next year

  1. Simon Ghent says:

    416,000 on the database. Over 5 million businesses. Would you call that a success or failure?

    How many successful cases did the ICO bring for not paying the £35 fee in the last financial year? Is the new fee structure designed for mass non compliance like the current one? When the ICO struggles with enforcing the DPA, PECR etc effectively what is to make us believe that you will enforce the new “fee” structure from April?

  2. Simon Clark says:

    Isn’t it extremely likely that the Digital Economy Act will be subsumed into the Data Protection Act 2017, rather than having two pieces of legislation? The whole point of the EU saying that GDPR would not require a registration or a fee process was to ensure as many organisations as possible get registered. For companies this is just the same, but GDPR bring into the net organisations like NGOs, charities, and the local sports club. Anywhere that holds a list of members is included. This all sounds very poorly thought out. Section 132 of the DPA 2017 Draft says that a fee ‘may’ be charged, not that it definitely will be. If the ICO got its’ costs from the fines it levied there would be no need for a charge, with the excess returning to the Government account.

    • Seth says:

      That would then create a perverse incentive for the ICO to levy as many fines as possible to ensure its income. The whole point of the current system is that the ICO only fines when appropriate rather than when its needs some cash.

      • Simon Clark says:

        If you think that there is any possibility that the ICO won’t have people to fine then you are much mistaken. From the hordes of unregistered businesses now who should be registered, through to those who fall foul of GDPR next year, there could easily be enough money coming in to cover their costs.

      • Emma says:

        Reply to Simon Clark: the ICO has never believed the right approach is to be funded by fines. As Seth says this would create a perverse incentive to enforce. The ICO’s annual report suggests that their staff costs alone were about £16 million. They probably need about £20 million a year to cover all their costs. Fees are the best and most secure way to fund this.

      • Simon Clark says:

        Yes but Emma, what you are failing to consider is that GDPR encompasses data privacy in a lot more places than the current DP legislation. Small groups, such as sports clubs, the WI, the church choir have never been bothered or covered before. The EU said there should be no fee with GDPR, but Section 132 of the DPA2017 Draft says fees may be levied. It’s a complete contradiction.

  3. Harry Ewins says:

    Fees that are based upon turnover do not reflect the ability of the organisation to afford to pay these registration fees. Will the exemptions take into account this factor?
    Isn’t it a pity that we hear about this proposed fees charging method initially through a LinkedIn post relating to a DCMS survey; not very much in the spirit of transparency or plans for the GDPR really is it?

  4. Steve says:

    Ah so, the skeptic in me thinks this is an opportunity for the ICO to raise their fees and use the GDPR as its excuse. Just another organisation profiting off new legislation. Oh and more ‘wait and see’. Thanks for that.

    • Emma says:

      You are mistaken that the ICO profits from legislation. The fees have always provided its income, with which it carries out its duties, including paying staff, paying rent and bills on its premises and all the other expenditure a normal business incurs. It doesn’t get funding from anywhere else.

    • Anonymous says:

      Their will of course be far more for the ICO to consider under the new regulations, and therefore an increased requirement for resources to deliver their obligations. If not through increased fees how would you propose to cover the difference?

    • christina says:

      Another regulatory body self administering, recruiting living off the fat of the land. more reasons for small businesses to complain – unaffordable

  5. I have been told that the ICO have hired an additional 200 staff to pursue companies that fail to comply with GDPR. Has that recruitment drive been halted, given that most of the ICO income will now come from fees instead of fines?

    • Emma says:

      The ICO has never had any income from fines. It has never believed this is the right approach either. Companies paying fees is a much better system than government funding. Even if the Govt had the money (which it doesn’t), that compromises the ICO’s independence.

      • Simon Clark says:

        Strangely I don’t agree with you. This Government suddenly seems to be able to find money for all sorts of things.

  6. Sandra says:

    Will childminders get a reduced fee? I look after 5 part time children but still have to pay £35, the same amount as businesss with hundreds of employees. I hope your new fee scale takes a fairer account of number of employees, ie just 1.

    • Jayne Blount says:

      I agree Sandra. We have enough expenditure to the little amount of income we get as it is. I fear we will be hearing an increase though rather than a reduction 🙁

      • C Curtis says:

        Same here, I only Childmind one day a week so I really hope it doesn’t increase.

    • christina says:

      Hugely disproportionate – no control an increase from £35 to £50 represents a 40% ish increase ? how does that add up? to fund more overpaid regulatory bodies to apply more and more regulation – more jumping through hoops for small businesses – a childminder paying this is outrageous.

  7. Etta says:

    Hopefully there will not be too large an increase in the fee structure

  8. Addrian woodhead says:

    Why should residential homes have to pay to register CCTV when the police come knocking on the door to use for state purposes to detect crimes, VAT is already paid to the govt when purchased. This is massively unethical as we have to pay the state to register, who then get to use our systems for free.

  9. Paul Smith says:

    It is rather laughable to suggest that this is a clarification. Apart from suggesting that fees will rise, there is no useful information whatever in this release.

  10. Pingback: GDPR Friday Roundup – 6th Oct 2017 – The Data Guardians

  11. Jennifer says:

    Questions/ observations:
    -Whilst a grant is given by the Dep for culture, media and sport for FoI work, I don’t understand why funding for work done by the ICO under the DPA isn’t funded by some other government department?
    -For small businesses owners; would the fee not qualify as an expense that you claim against your tax under ‘financial costs’?
    -The DEA 17 covers: online infringement of copyright; public-service broadcasting and content; network infrastructure; and digital safety among other things so far too wide to then include into the DPA.
    -It does provide some clarity in part with regards to current renewals that would ordinarily cover a period beyond May 2018.

    • Kim Taylor says:

      But if your earnings are small like a child minder or you are free c
      ommunity club you won’t be paying tax to claim it as an expense so it’s just money out

  12. Pingback: Some DP Updates - Panopticon Panopticon

  13. So, no surprise in this announcement, just a shame that once again organisations will have to wait for the exact detail until the end of the year, (as with other outstanding matters still under discussion with WP29).

    So, thank you for confirming the ‘gravy’ is on it’s way, we just have to wait to see what meat is provided to complete the meal.

    I have been training sole traders and SME’s in the transition from the DPA to the GDPR and specifically highlighted to them the fact that the ICO would need the funding confirming in order to be seen as remaining independent and to expect some other legislation to be used to ensure that is was found from somewhere.

    For many, it was their first insight into the data protection arena and based on feedback I have received I can tender my thoughts that the three tiers, may simply not be enough based on the criteria mentioned in the article above.

    The very first classification should be Type Of Business/Organisation, as this would assist most of those commenting above and perhaps indicate an answer on element of risk. It would may also give an indication as to ability to pay and source of funding that would provide funds for the same.

    Any risk factors could be mitigated against whether any data protection training had been received, best practice adopted in relation to cyber awareness etc.

    While the number of employees and turnover may have stood the test of time with the DPA, it’s hardly relevant to the breadth of personal data processing being undertaken today.

  14. Rick Hough says:

    There seems to be a worrying lack of information around for small clubs and societies. Bearing in mind that even a small fine could sink many of these organisations, some clear information or even a forum would be a great help.

    The risk of massive fines for non-compliance with GDPR is a major concern for lots of small organisations. I have even heard that some club and society leaders consider the risk of being responsible for data, and multi million Euro fines, so great they are ready to pack it all in and shut down the club.

    I am currently writing a new Privacy Policy and Data Protection information for my own site, a resource for small sports leagues, clubs, schools and societies, and seeking advice that may help them meet the demands of GDPR to negate the risk.

    If there was an ICO resource to which I could refer people, that would be a great help.

  15. It does provide some clarity in part with regards to current renewals that would ordinarily cover a period beyond May 2018.

  16. Omolade Oshunremi says:

    Hi Emma, can we have your response to Sandra’s query on the 5th October


    Rick Hough’s query regarding: I am currently writing a new Privacy Policy and Data Protection information for my own site, a resource for small sports leagues, clubs, schools and societies, and seeking advice that may help them meet the demands of GDPR to negate the risk.

    This will help many of us who are still in the dark but at the same time trying to get the information right whilst supporting others.

  17. Pingback: GDPR - linkpost update oktober 2017 by @dailybits

  18. Drew Faulkner says:

    One major point of GDPR was to remove the requirement to register and by extension the requirement to have to pay a fee to do so. In return for payment of that fee, most organisations currently receive very little indeed from the ICO which isn’t readily available elsewhere at zero cost to them.

    Getting concrete advice from the ICO is incredibly hard work – it’s invariably procrastination by default, with vague suggestions of advice being available in the future, and good luck with planning to be compliant with that advice…

    So, we now have the situation that the fees are probably going to be essentially doubled; does the ICO really imagine the uptake of registrations will be encouraged by that? Nonsense.

    It’s about time, with only 200 days or so until GDPR is enforced, for the ICO to publish solid guidance and advice on all aspects of GDPR, including how the UK will interpret and enforce it. As it is, we are going to be waiting until well into 2018 for many documents. Of all organisations, I’d have expected the ICO to have grasped the urgency of the situation by now.

  19. John Finch says:

    In GDPR, it stated that fees for registration would cease, and this was the message that has been widely dissipated. This altered slightly in the DPA 17, which stated that 132: The Secretary of State may by regulations require controllers to pay charges of an amount specified in the regulations to the Commissioner.

    However, as a local authority that has to register corporately with several departments having to register separately, and all Councils having to register, the increase in charges at this time of Austerity when staff are being cut from front line services is most unwelcome.

    Every single local authority in the country will become a tier 3 organisation, and will have to pay the same registration as a company with a multi-billion pound turnover, and volumes of data that far exceed local authorities, a registration fee that will double in size.

    Where was the engagement with the public sector over the charge change?
    Where is all this extra money going to come from, as it will be an increase in millions from the public purse?

  20. Benjamin Jones says:

    I think consideration needs to be give to Micro-Healthcare businesses.

    Their turn-over and employee counts are substantively lower, but have more responsibility disproportionate to general data collection.

    To encourage compliance year fee should be lower ~£20.00 mark.

    The level of work required to comply takes a lot of human resources and penalising them these business with a ‘catch-all’ fee seems unjust.

    It only disincentives these business to pursue a digital option for data storage, which appears to be a step-back if we want to encourage electronic record-keeping system uptake alongside entrepreneurial activities.

  21. James Temperton says:

    Very good comments on here. I didn’t think I would have to read a message board in order to enter the world of data protection. I am currently setting up a small charity. Very small, but as far as I can see we will still be liable as a company who employs hundreds of people. This smells of Eurocracy and just another hurdle to me setting up a group which will have maximum 30 members based in a church hall.

  22. John Firth says:

    I noticed the statement ‘Yes, what these exemptions will be has yet to be confirmed by DCMS but we expect them to be similar to those under the current regime.’ This is pretty crucial for us (small professional association entirely funded by not very wealthy members).

    If we suddenly had to develop policies and procedures and negotiate new contracts with IT suppliers and all the rest of it, we’d cope: but we’d have to pull in our horns and possibly stop doing some of the things that members are paying for in order to do so. While we wait to hear whether we’ll be required to register, obviously we’re starting to do the things that we’d have to do if DCMS decides that we will have to register. So, whichever way the cookie crumbles, we incur expense and loss of management resources (and, like a lot of professional associations, we’re managed by volunteers who also have to earn a living: so this means evenings and weekends).

    As others have said, turnover’s meaningless to us since we don’t trade.

    I’m sure a lot of this is in the hands of your political masters. But some decisions would be a big help.

  23. jordan says:

    Keeping the registration/fee for controllers is a complete contradiction with GDPR but just until Brexit happens.

  24. Nicola Rees says:

    Nicola Rees

  25. Vera says:


    Have not for profit organisations been considered, as they wouldn’t necessarily fit under the Public Authorities note?

    Can you please provide a link to the consultation, in case this is covered there?

  26. Peter Jason Taylor says:

    I have recently been made Clerk of the Parish Meeting of a small village with no Parish Council. I am unpaid, as are the Chairman and the Treasurer/RFO and the Internal Auditor. There are no employees. The parish has 111 adults in 53 dwellings. Our income consists only of a Council Tax precept of £570, which is £10 per Band D equivalent dwelling.
    Personal Data held consists of:
    1. The full Electoral Register, supplied by the District Council. This is needed to ensure that only electors in the parish can vote at Parish Meetings.
    2. A list of Neighbourhood Watch (NHW) members’ names and addresses, email addresses and some telephone numbers, shared with Lincolnshire Police because I am also NHW Co-ordinator (unpaid).
    3. Minutes of Meetings, which name individuals who speak, or are spoken of: but no further details such as addresses are recorded in Minutes.
    My question is this:
    Must the Parish Meeting register under the GDPR, and if so, what would be the annual fee? £55 appears excessive because it would take 10% of our precept, or potentially add 10% to it if we cannot find savings elsewhere. It would be the same amount as a larger authority that has up to 250 employees.

  27. Alastair Jones says:

    Now that the tiers have been announced I find the valuing of registration somewhat baffling. The almost 200% increase in registration to £55 for a sole trader who may only have a handful of clients and being treated in the same way as businesses of up to 250 seems not only grossly unfair but gives the advantage to the 5% of businesses with over 9 employees contrasted with the 95% of businesses in the UK with less than 10 employees.

    I think it requires a rethink or it will be a recipe for disaster.

  28. Anonymous says:

    Do we need to register with ICO, for processing data of a non EU Country?

  29. Goutam Sengupta says:

    Do we need to register with ICO while processing data of non EU Country?

Leave a Reply