Potentially every UK business needs to register with the Information Commissioner’s Office (ICO) under the Data Protection regulations – and fees. But there are various reasons why you do or don’t need to register, and various levels of data protection fees to pay.
What is it?
The ICO is the regulator that enforces the data protection regulations. They levy a small fee on every business that (1) uses CCTV for crime prevention purposes or (2) who process or hold personal data – athough some businesses are exempt. This fee pays for the work of the ICO.
How much are the ICO fees?
There is a range of fees and you can check out the current rates at www.ico.org.uk. At the time of writing these range from £40 to £2,900pa.
There are three tiers of registration fee:
- Tier 1 is for small businesses with up to 10 staff, or up to £632,000pa in sales – they pay £40.
- Tier 2 is medium-sized organisations with up to £36m sales or up to 250 employees – they pay £60.
- Tier 3 is for larger organisations and the fee is £2,900pa.
As this is an annual fee it is a good idea to sign up to pay this by direct debit, so that renewal is automatic. You can also get a £5 reduction for payment by direct debit.
Which businesses are exempt from an ICO fee?
You don’t have to register and pay a fee if you are only processing personal data for staff administration, accounts and records, not-for-profit reasons, personal or family affairs, and advertising, marketing and public relations purposes. Very usefully, the ICO has a self-assessment tool so that you can check if you are exempt or not. The link to that is https://ico.org.uk/for-organisations/data-protection-fee/self-assessment/
What if I don’t bother?
Like a lot of regulators the ICO is there to take action if people infringe the data protection regulations – and that includes not registering when they should. The fine for not registering or renewing your registration when in fact you should is up to £4,350! So the answer is that it is very much better to register than not!
What penalties can the ICO levy?
The media has lots of examples of businesses that have suffered a data breach or sent out marketing literature when they shouldn’t … and been penalised as a result! The fines for falling foul of the data protection regulations can be very big. There are two tiers of fines: the standard rates, and higher rates. The standard penalty is up to 2% of annual sales, up to a maximum penalty of £8.7m. The higher penalty is up to 4% of annual sales, up to a maximum penalty of £17.5m. All in all the ICO and the Data Protection Regulations are things you really don’t want to fall foul of!
If you’d like further advice on the topic of data protection fees and the ICO, please contact us today for a chat.