ICO clamps down on non-payment of data protection fees

In the past three months, the Information Commissioner’s Office (ICO) has issued 340 fines to organisations that have not paid the data protection fee.

The largest fee handed out was for £4,000 and four organisations were made to pay that sum.

The ICO’s latest data protection fees trends report revealed that the fees were issued between July 1 and 30 September this year.

Most organisations that process personal data must pay a fee and the ICO can take action against those that don’t.

The ICO issue their fines based on the fee the organisation should have paid. Of those organisations:

  • 333 organisations have been issued with a monetary penalty of £400.
  • 3 organisations have been issued with a monetary penalty of £600.
  • 4 organisations have been issued with a monetary penalty of £4,000.

By sector:

Broken down, the sectors that were issued the fines were:

  • Health 119
  • Finance, insurance and credit 45
  • General business 28
  • Social care 26
  • Accountancy 24
  • Retail and wholesale 20
  • Education and childcare 18
  • Training company 17
  • Legal 15
  • Land and property services 12
  • Recruitment 7
  • Private Investigation 5
  • Transport and Leisure 2
  • Charity 2

What is the fee?

Under the Data Protection (Charges and Information) Regulations 2018, UK organisations are required to pay the ICO an annual data protection fee unless they are exempt. The fee payable depends on the tier of the organisation, and ranges from £40 to £2,900.

The ICO states there are three different tiers of fee.

The fees are set by Parliament to reflect what it believes is appropriate based on the risks posed by the processing of personal data by controllers.

Organisations are expected to pay between £40 and £2,900, dependent on where they fall within the three-tier system based on factors including annual turnover, headcount and whether it is a charity.

The tier you fall into depends on:

  • how many members of staff you have;
  • your annual turnover;
  • whether you are a public authority;
  • whether you are a charity; or
  • whether you are a small occupational pension scheme.

If you are obliged to register as a data controller, you must pay an annual fee. The amount depends on your size and turnover. There are three different tiers of fees:

  • Tier 1

Micro organisations (those with a maximum turnover of £632,000 for the financial year or no more than 10 members of staff) must pay £40.

  • Tier 2

Small and medium-sized organisations (those with a maximum turnover of £36 million for the financial year or no more than 250 members of staff) must pay £60.

  • Tier 3

Large organisations (those that do not meet the criteria for tiers 1 or 2) must pay £2,900.

Charities, small occupational pension schemes and organisations that have been in existence for less than one month only pay £40, irrespective of their size and annual turnover.

Public authorities should categorise themselves according to staff numbers only and do not need to take account of turnover.

If you pay by direct debit you will receive a £5 discount.

It’s worth remembering that not all controllers must pay a fee. Many can rely on an exemption.

Farrow and Ball

Recent enforcement action against well-known paint and paper specialist, Farrow & Ball Limited, provides a timely reminder of the need to keep on top of data protection compliance.

The company was issued with a £4,000 penalty notice by the UK Information Commissioner. Farrow & Ball is a Data Controller and pursuant to the Data Protection (Charges and Information) Regulations 2018 it is required to pay an annual Data Protection Fee unless it can claim an exemption. The Data Protection Fee depends on the size of the organisation and fees range from £40 for a Tier 1 Organisation to £2,900 for a Tier 3 Organisation.

As a Tier 3 Organisation, Farrow & Ball should have paid a Data Protection fee of £2,900 however it failed to do so and was issued with a penalty notice of £4,000 by the ICO (the maximum fine being £4,350.00).

Farrow & Ball appealed the notice on the basis that its default was due to an innocent mistake and it argued that:-

• The ICO’s reminder was sent while the relevant Farrow & Ball individual responsible was on holiday;
• The reminder was not identified as important internally; and
• Farrow & Ball paid the fee promptly once the default was identified.

The First Tier Tribunal (Information Rights) (FTT) dismissed Farrow & Ball’s appeal and concluded that Farrow & Ball did not have a reasonable excuse for non-compliance. The FTT concluded that a reasonable Data Controller would have systems in place to comply with the Regulations and that Farrow & Ball pointed to no particular difficulty or misfortune which explained its departure from the expected standards of a reasonable Data Controller. Further, the FTT held that Farrow & Ball had not presented any evidence of financial hardship which could affect the penalty and therefore saw no reason to depart from the original assessment.

You will need to renew your registration each year. The ICO will email you around 6 weeks before your registration expires.

All fines recovered do not go to the ICO but to the Treasury’s Consolidated Fund.

The ICO have advised people to make sure if they need to register and if they receive a renewal reminder, to not ignore it. Make sure you pay on time or let us know if you no longer need to pay. Organisations can pay the data protection fee on the ICO’s website, which takes about 15 minutes to complete.  Further information can be found on the ICO website www.ico.org.uk

Scroll to Top