Have you paid your "data protection fee"?

The Information Commissioner's Office announced earlier this month that it was writing to the directors of every company in the UK, "reminding them of their legal responsibility to pay a data protection fee".

It looks likes these letters have started to arrive, as a friend of mine received one this morning.

It looks like this:

enter image description here

The Data Protection Act 2018 permits the ICO to levy a charge on controllers — people who determine the purpose and means of the processing of personal data — and the rules about charges are contained in The Data Protection (Charges and Information) Regulations 2018. The regulations set out who has to pay what charges (as the charges are tiered) and — importantly — the exemptions which mean that no fee is payable at all.

I've had a letter — do I have to pay?

Don't panic. Yes, it’s not a particularly pleasant Christmas card — the language of "unpaid ... fee" and "expecting your payment", and the threat of a £4,000 fine, is especially unpalatable — but getting one of these letters should not be a major concern.

According to the ICO, the letter was sent to all companies in the UK (excluding those already registered with the ICO) — it was not targeted to you because you definitely have to pay the charge.

Whether you have to pay the charge depends on what you are doing with personal data. To work out if you are required to pay the charge or not, you can:

Personally, I'd start with the ICO's own assessment tool.

How much do I have to pay?

It depends on a number of factors, including turnover and number of staff.

If you're a small organisation, it will be either £40 or £60 per year.

Otherwise, it's £2,900.

You get a £5 discount if you pay by Direct Debit.

What happens if I have to pay but don't?

If you are required to pay a charge to the ICO but don't do so, the ICO could hand you a penalty notice, requiring you to pay up to 150% of the sum you should have paid. That's how the ICO reached the £4,000 figure — for most small organisations, the maximum fine would be less than £100.

The ICO has handed penalty notices to about 270 companies in 2019, although we don't know how many of those actually paid up.

(There's a good chance the ICO has actually issued more penalty notices, as their published information does not include notices given to sole traders and partnerships.)

The ICO also has a policy of "naming and shaming" companies which do not pay up.

You should also bear in mind the risk to potential future contracts — many companies are now conducting data protection-related due diligence on suppliers, and a penalty notice from the ICO might be an unwelcome blot on your copy book.

If you are required to pay, the easiest thing to do is probably to set up a Direct Debit with the ICO — that way, you shouldn’t have to worry about it come renewal time.

Do I have to give the ICO any other information?

Yes. Paying the charge is part of registering with the Information Commissioner's Office and, to do this, you have to provide some (pretty basic) information about your company, and your processing of personal data.

Data protection officer?

One thing you will need to work out before you start to register is whether you need to appoint a data protection officer.

Most organisations do not need to do this, and there's guidance from the ICO to help you but, if you're not sure, think about getting some advice.

Updated 18:53, 17th December 2019, to include a copy of the letter.