Most organisations that process personal information are required by law to pay a "data protection’‘ fee to the UK regulator, the Information Commissioner’s Office (ICO). If you store people’s contact details for your business you are “processing” personal information and so potentially covered by this requirement. Businesses from sole traders and independent practitioners up to multinational companies and global charities are required to pay the fee unless, under certain circumstances, they are exempt.
The fees fund the ICO’s work (contrary to some reports, the ICO doesn’t get any income from fines it imposes). The fee for small businesses remains at £35 a year if you pay by direct debit (which is handy so that you don’t forget to renew). Last year, the ICO collected around £40 million in fees from businesses but its income should probably be at least double that if all non-exempt businesses actually pay up.
If you’re subject to the requirement, it’s important that you keep paying these fees. The ICO can impose financial penalties on companies that do not pay. You might think it’s too much work for the ICO to come looking for businesses that don’t pay the fee – but you’d be wrong: the ICO has approached thousands of businesses in past months about their failure to pay the fee and has started issuing penalties for non-payment.
The ICO publishes a list of all fee-paying companies so it will be obvious to your customers and competitors that if you’re not on that list, you’re not paying your fee! The ICO encourages all businesses to pay the fee and appear on the register as it sees this as a sign of commitment to processing people’s information professionally.
The scope for exemption is fairly limited. The ICO is clear, for example, that if you have CCTV you must pay the fee and if you are an ‘independent consultant’, you must pay the fee.
There are a few exemptions. If you only keep paper records, you don’t need to pay the fee. Sadly, that doesn’t cover many 21st Century businesses! If you are, for example, a small business in the construction sector that only uses the information for staff administration, accounts and your own marketing, you may be exempt.
If you think you might be exempt, the best way to be sure is to use the ICO self-assessment. Find out more or register on the ICO website.
If you’d like further help on data protection and GDPR compliance, subscribe to Astrid’s app today and start getting your evidence in place. We’re offering IPSE members a special Summer discount – your first year’s subscription is reduced from £225 down to £100! Use this link to sign up for your subscription now.
