Do you need to register and pay the Data Protection Fee?

No primary category set

The Information Commissioner’s Office has launched a campaign to remind sole traders, small companies and SMEs of their legal responsibility to pay a Data Protection Fee. The move marks the start of an extensive programme to make sure the Data Protection Fee is paid by all those who need to pay it.

The Data Protection (Charges and Information) Regulations 2018 require every business that processes personal information to pay a Data Protection Fee to the ICO, unless they’re exempt. Not paying when you should may result in a fine of up to £4,000.

Most companies will need to pay £40 or £60 a year. For large organisations the fee is £2,900.

How to pay the Data Protection Fee

If you need to pay, visit ico.org.uk/fee and click ‘first time payment’ if you’ve not registered with the ICO before, or ‘renew’ if you have registered before. You must complete the online application before sending your payment. It takes about 15 minutes. You can save time, hassle and money each year by setting up a Direct Debit, which deducts £5 from your fee.

How to declare an exemption from the Data Protection Fee

If you don’t need to pay, complete the form at ico.org.uk/no-fee to let the ICO know why your company is exempt from paying the fee.

Data Protection Fee checker flowchart

Do you need to register and pay the Data Protection Fee flowchart

Notes for the Data Protection Fee checker flowchart

* Exempt Purposes

  • Judicial functions
  • Elected representative functions
  • Personal, family or household affairs not connected to commercial or professional activities (including CCTV to monitor your domestic property, even if you are capturing images outside the boundaries of your property)
  • To maintain a public register (ie you are required by law to make the information publicly available)

** Compulsory registration organisations

Accountancy and auditing; Administration of justice; Administration of membership association records; Advertising, marketing and public relations for others; Charities – including housing associations; Childcare; Constituency casework; Consultancy and advisory services; Councils; Credit referencing; Crime prevention and prosecution of offenders (including CCTV systems); Debt administration; Education – including schools; Emergency services; Financial services and advice; Health administration and provision of patient care; Insolvency practices; Insurance administration; Journalism and media; Legal services; Leisure – including airlines and TV/radio stations; Loyalty cards; Mortgage/ insurance broking; Pastoral care; Pensions administration; Personal information processed by or obtained from a credit reference agency; Private investigation; Property management; Recruitment; Research; Social – including networking sites or dating agencies; Software development; Trading and sharing in personal information; Training.

*** Allowed essential processing for business use

  • Staff administration (including payroll);
    You only hold the personal information of the people you need to for your staff administration

  • Accounts or records (ie invoices and payments);
    You only hold the personal information of the people you need to for your own accounts and records – for example information about past, existing or present customers or suppliers.

    The information is restricted to what is necessary for your accounts and records – for example name, address and credit card details. However, this doesn’t include information processed by or obtained from credit reference agencies.

  • Advertising, marketing and public relations (in connection with your own business activity).

    You only hold the personal information of the people you need to for your own advertising, marketing and public relations – for example information about past, existing or present customers or suppliers

    The information is restricted to what is necessary for your advertising, marketing and public relations – for example, names, addresses and other identifiers

    You only advertise and market your own goods and services

RELATED POSTS..

Royal-Mail-Click-Drop-crashed-with-data-breach

Royal Mail Click & Drop crashed with data breach

Amazon-update-guidance-on-data-transfers-shutterstock_756734566

Amazon update guidance on data transfers

August 19, 2018 Mountain View / CA / USA - Google logo on one of

Google moves UK user data to the US

Macro shot of red stamp terminated and fountain pen on a form.

Amazon employees were sacked for disclosing customer data

Michael_Ingrassia-002-jpg

GDPR’s slingshot effect in giving European businesses a competitive advantage

Featured in this article from the ChannelX Guide – companies that can help you grow and manage your business.

Latest

Take a look through a selection of the latest articles on ChannelX

Register for Newsletter

Receive 5 newsletters per week

Gain access to all research

Be notified of upcoming events and webinars