ICO and Fees for Data Controllers under GDPR

1st November 2019

file storage

This blog has been updated. It was originally published 4th April 2018.

Since GDPR (General Data Protection Regulation) was introduced in May 2018, we’ve seen the removal of the annual registration cost; which was previously paid to the Information Commissioner’s Office for registration under the UK Data Protection Act of 1998.

It’s no secret that Data Controllers need to maintain their own records of data processing (as per Article 30). If you are classified as a Data Controller under GDPR (an organisation or sole trader that processes personal data), you still need to register with the ICO (Information Commissioner’s Office).

If you’re not sure whether you needed to register or not, you can do so by using ICO’s Registration self-assessment tool.

The cost of registering as a data controller

Organisations that process personal data are being charged a fee dependent upon which of three tiers they fall within:

  • Tier 1 is for “micro organisations” – including those with an annual turnover of less than £632,000, 10 members of staff
  • Tier 1 also includes charities and small occupational pension schemes, regardless of size or turnover
  • Tier 2 is for “SME organisations” – including with a turnover of no more than £36 million, or no more than 250 personnel
  • Tier 3 is for “large organisations” (all other organisations)

The fee categories associated with each of these tiers is as follows (a £5 discount will apply for direct debit payments):

  • Tier 1 – £40
  • Tier 2 – £60
  • Tier 3 – £2,900

Public authorities will be charged in accordance with their number of personnel and not their annual turnover.

Some exemptions to the new fee schedule applies if one or more of the following situations applies:

  • Personal and family data processing
  • Employee administration
  • Accounts and records
  • Judicial functions
  • Not-for-profit activities
  • Advertising, marketing and public relations
  • Maintaining a public register
  • Personal data processing not undertaken on an electronic device

To find out more, review this detailed ICO guidance on GDPR fees, which will help you to prepare and budget accordingly.

Back to Insights

Share Insight: