Is it true that under GDPR my organisation no longer has to pay a fee to the ICO?

New data protection law is due to come into force on 25th May 2018 in the form of the General Data Protection Regulation (GDPR). Continuing our theme of GDPR “myth busting”, we explore the rumour that organisations will no longer have to pay a fee to the Information Commissioner’s Office (ICO) when GDPR comes into force.

Where has this myth come from?

Under the current Data Protection Act 1998 (DPA), organisations that process personal information are required to register with the ICO as data controllers (unless an exemption applies). The registration process involves telling the ICO about the personal information collected, how it is used and paying a notification fee of between £35 and £500. Most of the funding for the ICO’s work comes from the fees that it generates from the compulsory notification system. 

Recital 89 of GDPR removes the general obligation for organisations to notify the processing of personal data to supervisory authorities (for the UK the supervisory body is the ICO). This will mean that organisations will no longer be under an obligation to register with the ICO as a data controller. 

However, a provision of the Digital Economy Act 2017 will ensure that it remains a legal requirement for controllers to pay a data protection fee to the ICO. There are expected to be certain exemptions under the new fee structure, but it is likely that these will be similar to those that are currently in place under the DPA.

What are the new fees and when will they start?

The Department for Digital, Culture, Media and Sport is in the process of developing the regulations to support the new fee structure, with the final fees then needing to be approved by Parliament. The new fee structure is expected to be a three-tiered system, with the fee varying depending on the size of the organisation, its turnover and the amount of personal information that it processes. Fees will range from up to £55 to £1,000, with an additional £20 direct marketing top up fee where an organisation carries out electronic marketing activities.

The new fees are anticipated to kick in on 1st April 2018. Until this date organisations remain under obligation to renew under the old system. Organisations that pay an annual notification fee prior to 1st April 2018 will not need to pay the new fee until their notification under the old model expires. 

If you any questions on this or how any other aspects of GDPR may affect you, there’s lots of helpful information on our website and we’d be happy to discuss how we can assist.

Carmen Stevens
Posts: 2
Stars: 0
Date: 06/03/18
Krystyna Stec
Posts: 4
Stars: 0
Date: 06/03/18
Stacey Edwards
Posts: 3
Stars: 0
Date: 26/02/18
Simon Bates
Posts: 28
Stars: 0
Date: 09/01/18
Anthony Young
Posts: 3
Stars: 0
Date: 24/11/17
Narkess Aralova
Posts: 1
Stars: 0
Date: 10/10/17
Karina James-Wiltshire
Posts: 21
Stars: 0
Date: 04/10/17
Jayne Meacham
Posts: 13
Stars: 0
Date: 01/09/17

Events & seminars

Browse our programme of training, seminars and special events.

Find out more

"Having the opportunity to tap into Jordans compliance and legal services when required is an added benefit to us and our clients"

Nimesh Pau, R Pau and Co


Keep informed with our free online newsletters and email updates.

Find out more