About us What we do Associations Membership Machinery Finder Exhibitions Resource hub News & Publications Automate BEST Contact us
background image
background image
background image
background image
background image
background image
background image
background image
background image
background image
Become a member arrow right
Stay up to date

Please provide a valid email address

Please select one or more contact preferences

Sign up

News & Publications

Data Protection: Have You Paid Your Annual ICO Fee?

The Information Commissioner’s Office (ICO) has launched a campaign to remind companies (and sole traders) of their legal responsibility to pay the Data Protection Fee.

The Data Protection (Charges and Information) Regulations 2018 require every business that processes personal information to pay a Data Protection Fee to the ICO (unless exemptions apply, e.g. you are a charity, accounts, staff administration – to name a few). Failure to do so could result in a maximum fine of £4,350.

The fee varies from £40-£60 per year for SMEs, up to £2,900 for large organisations. These are banded into Tiers. You can calculate how much your organisation needs to pay here (the online assessment takes five minutes). The annual fee is reduced if you pay by direct debit.

The fees are set by the UK Government to reflect what it believes is appropriate based on the risks posed by the processing of personal data by controllers.

For PPMA members, the tier that your business falls into depends on the following:

  • how many members of staff your company has;

  • the annual turnover of your company.

For the ICO, it will also depend on (albeit these are unlikely to apply to PPMA members):

  • whether you are a public authority;

  • whether you are a charity; or

  • whether you are a small occupational pension scheme.

Not all controllers are required to pay a fee. Check exemptions.

Tier 1 – micro organisations

  • You have a maximum turnover of £632,000 for your financial year or no more than 10 members of staff. The fee for tier 1 is £40.

Tier 2 – small and medium organisations

  • You have a maximum turnover of £36 million for your financial year or no more than 250 members of staff. The fee for tier 2 is £60.

Tier 3 – large organisations

  • If you do not meet the criteria for tier 1 or tier 2, you must pay the tier 3 fee of £2,900. We regard all controllers as eligible to pay a fee in tier 3 unless and until they tell us otherwise.

Working out your data protection fee

Calculating members of staff

To calculate the fee, ‘members of staff’ is defined broadly to include all your employees, workers, office holders and partners.

Your number of members of staff is the average number working for you during your financial year. Each part-time staff member is counted as one member of staff.

So, you should:

  • work out, for each completed month of your financial year, the total number who were members of staff in that month;
  • add together the monthly totals; and
  • divide it by the number of months in your financial year

It doesn’t matter if your members of staff are based in the UK, overseas or a mixture of both. They all count.

How to pay the Data Protection Fee

  • If you need to pay, go to: www.ico.org.uk/fee and click ‘first time payment’ if you’ve not previously registered with the ICO. You must complete the online application, which takes approximately 15 minutes, before sending your payment.
  • If you need to ‘renew’ your data protection cover, click renew. The ICO emails all registrants (previous fee payers) six weeks before their annual fee expires.

Make a payment here.

How to declare an exemption from the Data Protection Fee

If you don’t need to pay, complete the form at ico.org.uk/no-fee to let the ICO know why your company is exempt from paying the fee.