GDPR: The New Data Protection Fee

24 April 2018

Under the new 2018 General Data Protection Regulations (GDPR), organisations who are data controllers, in other words who make decisions about data and how it is processed, must pay the Information Commissioner’s Office (ICO) a data protection fee, unless they fall into a category that is exempt.

Previously organisations were required to notify or register with the ICO under the Data Protection Act of 1998, which is now changing. Controllers with a current registration will not need to pay this new fee until their current registration expires. Not all controllers will need to pay, many will be exempt.

There are three different tiers of fee which mean that controllers need to pay between £40 and £2,900. The tier that you fall into depends on things like how many staff you have, your annual turnover, and what line of business you are in.

  • Tier 1 – maximum turnover of £632,000 for your financial year and no more than 10 members of staff. The fee for tier 1 is £40.
  • Tier 2 – small and medium organisations – maximum turnover of £36 million for your financial year and no more than 250 members of staff. The fee for tier 2 is £60.
  • Tier 3 – if you don’t fall into tier 1 or tier 2, you will be regarded as being in tier 3 and need to pay a fee of £2,900.

The important thing to note is that if you do not tell the ICO which tier you fall under and you are an eligible controller of data, they will assume you are in tier 3 and charge you £2,900. It is well worth checking what tier you belong to and paying the required fee.

If you choose to pay by direct debit you will receive a discount of £5 when you make your payment.


If you process any kind of personal data in the course of your business, the chances are you will need to pay the fee.  However, there are some exemptions where you only process personal data for one of the following purposes:

  • Staff administration
  • Advertising, marketing and public relations
  • Accounts and records
  • Not for profit purposes
  • Personal, family or household affairs,
  • Maintaining a public register
  • Judicial functions
  • Processing personal information without an automated system such as a computer.

The ICO have provided an online assessment tool for you to work through to establish whether or not you need to pay the fee and if so how much that will be.

The new model will come into force from 1st April 2018.

Have a look at our other GDPR blogs to help you prepare for the 25th May:

Please note: This article is a commentary on general principles and should not be interpreted as advice for your specific situation.

General Data Protection Regulation (GDPR)

Submit a Comment

Related articles

Follow our blog via email

Enter your email address to follow this blog and receive notifications of new posts by email.