The Data Protection Fee: does your company need to pay?


In Business Support

ICO logo

The Information Commissioner’s Office (ICO), the UK’s data protection regulator, has launched a campaign to remind small organisations, small companies, and SMEs of their legal responsibility to pay a data protection fee. The move marks the start of an extensive programme to make sure the Data Protection Fee is paid by all those who need to pay it.

The Data Protection (Charges and Information) Regulations 2018 require every business that processes personal information to pay a data protection fee to the ICO, unless they’re exempt. Not paying when you should may result in a fine of up to £4,000.

If you’ve received a letter from the ICO, you need to either pay your fee promptly or let the ICO know you’re exempt, so they can update their records. If you’re not sure if you’re exempt, you can take an online self-assessment at

Sharing personal data – such as names, addresses and birth dates – helps makes life easier, more convenient and connected. Customers share data every time they visit your website, search for or buy something, use social media or send an email. But people’s data belongs to them. It should be used only in ways they would reasonably expect, and be kept safe. Anyone holding, recording, storing, updating or sharing personal data for business purposes on any electronic device – including using CCTV for crime prevention purposes – are likely to be required to pay a data protection fee to the ICO. There is also an online registration to complete, which takes approximately 15 minutes.

It’s the law to pay the fee, which funds the ICO’s work, but it also makes good business sense. Whether or not you’ve paid the fee could have an impact on your reputation. Paying the fee and being listed on the ICO’s register of fee payers shows that a company takes its data protection obligations seriously. It’s a strong message for your customers – it lets them know that you value and care about their information. It also lets other organisations know that you run a tight ship and that you’re aware of your data protection obligations.

Most companies will need to pay £40 or £60 a year. For large organisations the fee is £2,900.

If you need to pay and don’t, you could be fined. Between July and December 2019, the ICO issued 554 monetary penalties to organisations that have not paid the data protection fee.

Act now:

  1. If you need to pay, visit and click ‘first time payment’ if you’ve not registered with the ICO before, or ‘renew’ if you have registered before. You must complete the online application before sending your payment. It takes about 15 minutes. You can save time, hassle and money each year by setting up a Direct Debit, which deducts £5 from your fee.
  2. If you don’t need to pay, complete the form at to let the ICO know why your company is exempt from paying the fee.

For tools, advice and resources on how to comply with the GDPR as a small organisation, visit

How to protect yourself from postal scams

  • Check a letter is genuine by searching online for the organisation who sent it
  • Talk to someone you trust such as a friend or family member
  • Search online for guidance on scams and how to protect yourself.