Already a customer?
Log a ticket

What Is The Data Protection Fee, And Why Should You Pay It?

Share on facebook
Share on twitter
Share on linkedin
Share on google
Share on email

If you’re not registered with the ICO as a data controller, you might be breaking the law.

With GDPR now in effect, most businesses are aware of the responsibilities they hold in relation to personal data. But one element of the rules that hasn’t perhaps been widely publicised is that of the data protection fee, which requires many organisations to register with the ICO – or potentially face large fines. Even more worrying is that this isn’t anything new – the Data Protection Act of 1998 already had similar rules.

Data Protection Act Registration

Before the GDPR came into effect, the ICO’s website said, “The Data Protection Act 1998 requires every data controller (e.g. organisation, sole trader) who is processing personal information to register with the ICO, unless they are exempt. Over half a million organisations are currently registered.”

At the time, registration lasted for a year and usually cost £35. However, the cost could be higher for larger businesses and public authorities. What’s particularly interesting, though, is the low number of registered organisations. As you may know, a data controller is the person or organisation that decides the reasons for which personal data is collected, used and held within a business or other organisation. This includes names, addresses, licence plate numbers and even CCTV footage – essentially anything that could be used to identify an individual.

Surely there are more than half a million businesses in the UK that deal with such information, so why were there so few registered with the ICO? Were they all exempt?

CCTV camera - data protection fee
If you have any of these on your business premises, then you should probably be registered with the ICO.


To answer these questions, we first need to look at what the exemptions were. In the ICO’s words, you didn’t have to register under the Data Protection Act if the personal data you held was processed only for the following reasons:

  • staff administration (including payroll);
  • advertising, marketing and public relations (in connection with their own business activity); and
  • accounts and records;
  • some not-for-profit organisations;
  • organisations that process personal data only for maintaining a public register;
  • organisations that do not process personal information on computer.
  • These exemptions no doubt account for why many companies weren’t registered with the ICO, but it seems likely that others weren’t registered simply because they didn’t know they were supposed to be or just didn’t care. In either case, this is worrying, because at the time, the ICO had the power to fine businesses up to £5,000 for not registering when they were supposed to, including for having unregistered CCTV.

    GDPR Data Protection Fee

    Now, of course, the Data Protection Act no longer applies, because it’s been replaced by the GDPR, but registration with the ICO is still very much a requirement for businesses, unless they’re exempt. There are, however, some key differences in its structure. It’s also worth noting that anyone who’s already registered with the ICO under the Data Protection Act won’t have to do it under GDPR until the previous registration has expired.

    Toy car being pushed - data protection fee
    Even car registration numbers can count as personal data.

    Whether you’re already registered or not (and assuming you’re not exempt), you will at some point have to register under the new rules, and the way it works is a bit different to its predecessor. How much you have to pay to register depends where your business sits on a three-tier scale:

    Tier 1 – micro organisations. You have a maximum turnover of £632,000 for your financial year or no more than 10 members of staff. The fee for tier 1 is £40.

    Tier 2 – small and medium organisations. You have a maximum turnover of £36 million for your financial year or no more than 250 members of staff. The fee for tier 2 is £60.

    Tier 3 – large organisations. If you do not meet the criteria for tier 1 or tier 2, you have to pay the tier 3 fee of £2,900. (ICO website)

    Importantly, if you don’t inform the ICO of your particular circumstances, then it will be assumed that you belong in tier 3, and you’ll have to pay the highest data protection fee.

    As with the old rules, this fee has to be paid yearly, and again there are exceptions and exemptions.

    The exceptions are:

  • Public authorities should categorise themselves according to staff numbers only. They do not need to take turnover into account.
  • Charities that are not otherwise subject to an exemption will only be liable to pay the tier 1 fee, regardless of size or turnover.
  • Small occupational pension schemes that are not otherwise subject to an exemption will only be liable to pay the tier 1 fee, regardless of size or turnover
  • And the exemptions, according to the ICO, are:

    • Staff administration
    • Advertising, marketing and public relations
    • Accounts and records
    • Not-for-profit purposes
    • Personal, family or household affairs
    • Maintaining a public register
    • Judicial functions
    • Processing personal information without an automated system such as a computer

    As you’d expect, there are once again fines for not paying the data protection fee or for paying the wrong one: 150% of the top tier fee, which translates as £4,350. That, of course, is less than the old fine, but it’s still a substantial amount of money.

    Why You Should Register

    The most obvious reason to pay the data protection fee is because it’s a legal requirement (assuming you’re not exempt), but with only half a million organisations registered with the ICO under the Data Protection Act, it’s likely that many haven’t been fulfilling this obligation. If that’s the case, then it would seem the ICO has thus far used its fining powers much less than it could have.

    Why, under GDPR, might that change? Is the ICO any more likely to levy these fines under the new rules than it was under the old ones?

    It’s impossible to say for certain, but the very fact that GDPR exists at all suggests that data protection is being taken more seriously than it has in the past. Also, the ICO will be keen to prove it’s doing its job. As the Information Commissioner has said, fines are the last resort. But the data protection fee is going to be vital to the ICO if it’s to function properly. If businesses ignore the requirement en masse, the ICO could flex its muscles by making an example of some of them.

    The qustion is: could your business take a hit like that, if you were singled out for punishment?

    All organisations that process the personal data of EU residents need to be GDPR compliant. That includes protecting personal data with sufficient cyber security. TMB has many years of experience in this field, so call us to discuss your needs: 0333 900 9050. Alternatively, get in touch via our contact page, or email us at

    Leave a Comment

    Your email address will not be published. Required fields are marked *


    TMB Privacy Policy

    Why do we hold personal data?

    Like any business, TMB Group has to keep personal data about staff, clients and potential customers. When you fill in the contact form on our website, for example, we need to keep a record so we can get back to you. Data is also held so we can deliver our services and so we can provide useful information, such as security update news.

    What data do we keep?
    Depending on our relationship with you, we’ll hold information such as your first and last names, your email address, your phone number and your postal address. We will also possibly have details about your business and those who work for you. If you’re a customer, then we may have some of your banking detail so we’re able to accept payments for the services we provide.

    How is your data stored?

    As a responsible IT company, TMB stores personal data on secured computer systems. Anything that is archived will be placed on encrypted drives.

    We do use third-party customer management software, Autotask, which means data may be stored on their servers, but only the data we need to deliver our services. The same goes for the Microsoft services we use, such as Word, Excel and PowerPoint, which store information on Microsoft’s cloud servers. We also use Mailchimp for marketing purposes: to send emails and to manage subscriber lists.

    These third parties are not permitted to share your data or to use it for marketing purposes. You can find Autotask’s privacy policy here: Microsoft’s privacy policy for Office 365 is here: Mailchimp’s policy is here:

    How long do we keep your data?

    We will keep your data in our systems until it is no longer relevant to our business, but you can request that we remove or update it at any time. We will also inform any relevant third parties of your request.

    Access to your information

    The key thing to remember is that your data belongs to you. That means you can request copies of your personal data any time you like, or to access and update it. You also have the right to be forgotten, so if you ask that we delete your data, we will do so or provide a valid reason why we are unable to. We will, of course, require proof of your identity before addressing any such request.

    Depending on your request, your information may be provided to you electronically. In such cases, it will be provided in a commonly used format.

    Unsubscribing and deletion

    Unsubscribing is not the same as a request for us to delete personal data. If, for example, you unsubscribe from a mailing list, it is necessary to keep your email address on record to prevent marketing email from being sent to you. If we were to delete that information, we would have no way to tell if you have unsubscribed. Nevertheless, you still have the right to request erasure of your personal data.

    Your right to complain

    If, for any reason, you are unhappy with the way your personal data is treated by us, you have the right to complain to a supervisory authority. In the UK, that would be the Information Commissioner’s Office (ICO).

    Website analytics

    Anyone who visits our website will automatically have data about them collected via Google Analytics. This gives us broad information about what people are doing on our website and which pages they are looking at. It does not provide us with personal information that could be used to identify individuals.


    Cookies are small text files that web browsers receive from websites. They are stored on your computer, and they enable sites to do things like remember if you’ve visited before, if you’re a customer, what your preferences are and so on. You are entitled to view our website without them, but you may lose this kind of functionality if you do so.

    International data transfers

    Information that we collect may be stored and processed in and transferred between any of the countries in which we operate in order to enable us to use the information in accordance with this privacy policy.

    Data controllers and processors

    TMB is the controller for marketing activity and personal data/special category data we hold on our own employees, but we are the processor when processing our customers’ personal data (e.g. buying a licence for a named individual).  We  may use sub-processors for processing data given to us by customers.

    What we won’t ever do is sell your data. And if you sign up to our mailing list, you’ll only receive marketing material from TMB as a result – no one else.

    For any questions regarding your data, contact TMB’s technical director, Richard Shuker, at or write to us at A1 Endeavour Business Park, Penner Road, Havant, Hampshire, PO9 1QN..