There was a rumour following the introduction of the GDPRs that companies no longer had to register (or notify) with the ICO and pay a fee. This was because the Data Protection Act 1998 (which the GDPRs were replacing) contained specific wording to say that companies had to register themselves with the ICO, but the GDPRs didn’t.

So, people read the silence to mean that registration with the ICO was no longer a legal requirement.

However, this gap was filled by another law which effectively brings this requirement back into play (for those anoraks out there the law is ‘Data Protection (Charges and Information) Regulations 2018’). The myth may also have started from the fact that this new law doesn’t say you have to register with the ICO – it just says you have to pay charges. The ICO register has now been changed to be called a “Register of fee payers”.


Ultimately, it means that (unless you fall within the very narrow exemptions), if you process personal data as a data controller you do need to pay a fee to the ICO.

The main exemption that may be of interest to some businesses is that the fee will not be payable if you are only processing personal data for one or more of certain stated purposes including staff administration. Chances are though that most business have customers and suppliers and hold their data for the purposes of providing goods or services.

The cost of the data protection fee depends on your size and turnover. There are three tiers of fee ranging from £40 to £2,900, but the ICO indicate that for most organisations it will be £40 or £60. However the fine for not paying can be up to a maximum of £4,350, with
organisations across the manufacturing sector among the first to be fined by the ICO for not paying the data protection fee.

The ICO also provides guidance on the finer details of the fee and exemptions, so this is a good place to start.

Also, it provides an on-line self-assessment tool to help decide if you need to pay, available here:

If you need any advice or assistance with your privacy programme or your compliance journey, please contact Alison or Tracey at Lawpoint for a chat.