Everything You Need To Know About ICO Registration

As the owner of a UK business, you may be unsure of your obligation to register with the Information Commissioner’s Office (ICO) and whether you need to pay a data protection fee. If so, you are not alone. Many people are unclear about whether their handling of personal data brings them within the purview of the ICO and, if so, what they need to do. In this article, we will explain everything that you need to know about ICO registration as a UK business owner, including whether you need to register with the ICO and pay a data protection fee, how much you will pay, and how to complete the ICO registration process.

What is the ICO?

The Information Commissioner’s Office (ICO) is a public body which reports to the UK Parliament and is affiliated with the Department for Digital, Culture, Media and Sport. The role of the ICO is to regulate and enforce data protection law in the UK. As the ICO states, “We offer advice and guidance, promote good practice, monitor breach reports, conduct audits and advisory visits, consider complaints, monitor compliance and take enforcement action where appropriate”.

The legal remit of the ICO spans several laws, including the Data Protection Act, Freedom of Information Act, Privacy and Electronic Communications Regulations, General Data Protection Regulation (GDPR), Environmental Information Regulations, INSPIRE Regulations, eIDAS Regulation, Re-use of Public Sector Information Regulations, NIS Regulations, and the Investigatory Powers Act. Organisations in the UK are required to comply with data protection laws and statutory codes. Failure to do so can lead to substantial fines of up to £17.5 million (or 4% of an organisation’s total worldwide annual turnover), whichever is higher.

What is the ICO data protection fee?

The ICO data protection fee is used to fund the work of the ICO, whose role is to enforce data protection laws in the UK. As the ICO states, “It is the law to pay the fee, which funds the ICO’s work, but it also makes good business sense because whether or not you have paid could have an impact on your reputation”. Organisations are required to pay the data protection each year to the ICO or inform them if they no longer fit the criteria for payment.

Do I need to register with the ICO and pay a data protection fee?

Every organisation or sole trader operating in the UK that processes personal information (referred to as “data controllers”) is legally required to register with the ICO and pay a data protection fee unless they are exempt from doing so. If you are unsure if you need to register and pay the fee, we recommend using the ICO’s online registration self-assessment tool to check this for yourself. The self-assessment tool will take you through a series of questions to determine whether and how you are using data.

According to the ICO, you will not need to pay a data protection fee if the personal data being processed is only for the following:

  • Accounts and records
  • Advertising, marketing and public relations.
  • Judicial functions.
  • Maintaining a public register.
  • Members of the House of Lords, elected representatives and prospective
  • representatives are also exempt.
  • Not-for-profit purposes.
  • Personal, family or household affairs.
  • Processing personal information without an automated system such as a computer, and
  • Staff administration.

It is important to understand that even if you are not required to register with the ICO and pay a data protection fee, you must still comply with the UK’s data protection laws, even if it is for one of the exempt purposes.

How do I register with the ICO and pay a data protection fee?

The ICO registration process is completed online on the ICO’s website. The online registration service also allows you to pay your first data protection fee. Before starting the online registration process, the ICO recommend that you have the following to hand:

  • your payment card
  • organisation name, address, and company registration number
  • number of staff, and your
  • turnover

Based on the answers you provide, you will be told if you need to register and how much you will need to pay for the current year. The form will also tell you if you have already registered with the ICO, in which case you do not need to continue with the registration process. You will also be asked if you need a Data Protection Officer (DPO). This will depend if you are processing data on a large scale. This may be the case if you:

  • track and monitor people’s behaviour using CCTV, or
  • your organisation processes large-scale ‘special categories’ of personal data, or
  • large-scale criminal convictions or offences data

It will typically take up to 15 minutes to complete your ICO registration. Once the application has been submitted and the payment made, the ICO will send you a confirmation (normally on the next working day) and then publish details of the registration on the “register of fee payers”.

How much is the data protection fee?

The ICO uses a three-tiered system to work out the data protection fee due each year by data controllers. The tier that your organisation falls into will depend on:

  • your staff numbers
  • your annual turnover
  • whether you are a public authority;
  • whether you are a charity; or
  • whether you are a small occupational pension scheme.

The data protection fee ranges from £40 up to £2,900. According to the ICO, “the fees are
set by Parliament to reflect what it believes is appropriate based on the risks posed by the
processing of personal data by controllers”.

The data protection fee ranges from £40 up to £2,900. According to the ICO, “the fees are set by Parliament to reflect what it believes is appropriate based on the risks posed by the processing of personal data by controllers”.

The three tiers are as follows:Tier 1 – micro organisations

  • Turnover of no more than £632,000 in the financial year, or
  • No more than 10 members of staff.

Fee payable: £40.

Tier 2 – small and medium organisations

  • Turnover of no more than £36 million in the financial year, or
  • No more than 250 members of staff.

Fee payable: £60.

Tier 3 – large organisations

  • Organisations that do not meet the criteria for tier 1 or tier 2

Fee payable: £2,900.

The ICO data protection fee can be paid by direct debit, card, or cheque. Organisations paying by direct debit are eligible for a £5 discount.

When working out how many staff members you have, note that this includes all of your:

  • Employees
  • Workers
  • Office holders
  • Partners
  • Part-time workers (each part-time worker is classed as one member of staff)
  • UK and overseas staff

The ICO’s guidelines state that the number of staff members should be the average over your financial year; to work this out, you will need to:

  • Determine the number of staff members in each month of your financial year
  • Add together the number of staff in each month
  • Divide the total number of staff by the number of months in your financial year.

Under the Data Protection Act 2018, there are several exceptions to the above payment
rules. The law states that:

  • Public authorities should use staff numbers only rather than turnover
  • Charities only need to pay the tier 1 fee, regardless of size or turnover, unless they are otherwise exempt, and
  • Small occupational pension schemes only need to pay the tier 1 fee, regardless ofsize or turnover, unless they are otherwise exempt.

How do I pay my ICO data protection in subsequent years?

Once you have paid your data protection fee for your first year, you will not need to make a payment for the second year until your current ICO registration expires. The ICO will write to you explaining that your registration is due to expire and how to pay your fee for the next year. If you need to change your payment tier, you can do so by emailing or phoning the ICO. If your registration expires, the ICO will make the automatic assumption that you fit into tier 3
unless you advise them otherwise.

What is the penalty for non-payment of the data protection fee?

As the ICO makes very clear, if, as a controller, you do not pay the required fee, you are breaking the law. In this case, the ICO have the power to levy a fine of up to £4,350 fine – or 150% of the top-tier fee.

Final words

Business owners have a broad spectrum of legal and administrative duties, and registering with the Information Commissioner’s Office is just one of these. Thankfully, the process of registering with the ICO and paying the data protection fee is very straightforward. If your business has expanded in terms of turnover and/or staff numbers, it is important to ensure that you provide the correct information when you next register with the ICO to make sure you are paying the correct amount.

Click to rate this post!
[Total: 6 Average: 5]

Share this:

Facebook
Twitter
LinkedIn
Print

Related Posts

Ready to Set Up Your Own Company?

Welcome to our UK company formations portal, where you can set up your company online 24 hours a day.
Scroll to Top