All organisations – and that includes small companies and sole traders – that process personal data must pay an annual fee to the ICO. While there are some exceptions to this rule (discussed below), most organisations are required to pay the annual sum.

Failure to do so will result in a fine. But perhaps more importantly non-payment of the fee can send a signal to the ICO that data protection matters are not being afforded the priority they deserve. At Big Data Law we have seen first-hand how some clients have attracted unwelcome regulatory scrutiny because of a simple administrative oversight.


The fee is the equivalent of the pre-GDPR registration/notification requirement. The revenue raised is the main funding stream for the ICO, enabling it to carry out its functions under GDPR. What an organisation pays – and the potential fine – depends on its size, as follows:


  • Micro organisations – with a maximum turnover of £632,000 or no more than ten members of staff. Fee: £40 Fine: £400
  • SMEs – with a maximum turnover of £36million or no more than 250 members of staff. Fee: £60 Fine: £600
  • Large organisations – Those not meeting the criteria of either of the above. Fee: £2,900. Fine £4,000



The short answer is you will have to pay the fine applicable to the size of your organisation as shown above. It’s worth noting that in November 2018 the ICO took the first steps toward imposing fines on organisations that had not paid the data protection fee.

Over 900 notices to fine were issued demonstrating the ICO’s serious intent to recoup monies due to it from data controllers.

Arguably the fines are not huge – nor are the annual fees. So it makes sense to pay the fees when they are due. And not just to avoid the fine. Consider the following:

  • A disgruntled employee complains to the ICO about data protection practices at a company. Something that could happen to any organisation at any time.
  • The ICO consults its register.
  • The company is not listed, indicating a fee has not been paid.
  • The ICO then accesses the company website.
  • From the site it is unclear who the company data protection officer (DPO) is – or even if there is one in place.
  • The ICO calls the company. The DPO is not available.
  • The ICO commence investigation.


In these circumstances the organisation in question is presenting a clearly unfavourable image to the ICO. In addition, if a DPO is appointed then the DPO should understand how to discuss your company’s matters with a Regulator; arguably asking too many “basic” questions from a Regulator may not create a favourable impression.  An unwelcome development for any company given the ICO’s enhanced powers of investigation and sanction under GDPR. If you have concerns, Big Data Law offers bespoke analysis of your company’s data protection processes to ensure GDPR compliance.


If your organisation processes persona data as a controller you’ll normally have to pay the fee. But if the data is only being processed for one of the following reasons, you will be exempt:


  • Staff administration
  • Advertising, marketing and public relations
  • Accounts and records
  • Not-for-profit purposes
  • Personal, family or household affairs
  • Maintaining a public register
  • Judicial functions
  • Processing personal information without an automated system such as a computer


The ICO provides useful guidance to help organisations establish whether they may be able to take advantage of an exemption. If you think any of these reasons may apply to the way your company processes data you may also wish to seek advice from a specialist GDPR solicitor to confirm your entitlement to an exemption.


You can contact Big Data Law online or call us on 0203 670 5540.


Shubha Nath