More than 1,000 organisations have been fined by the Information Commissioner’s Office (ICO) for non-payment of their data protection fees. The data regulator says that the affected organisations encompass a variety of business sectors, including business services, construction, finance, health and childcare.

These fees must be paid to the ICO by all organisations, firms and sole traders, unless they are exempt from the need to pay. An organisation is only likely to be exempt if it does not carry out any form of data processing. In this case, processing’ means doing any of the following with the information:

  • obtaining it
  • recording it
  • storing it
  • updating it
  • sharing it

‘Personal information’ means any detail about a living individual that can be used on its own, or with other data, to identify them.

The money collected from the fees is retained by the ICO to fund its activities of education, supervision and enforcement. However, the fines go to HM Treasury.

This announcement serves as a timely reminder for all firms to ensure they know when their ICO fees need to be paid by. If an organisation already has a registration made under the Data Protection Act 1998, then it will not need to pay a fee until the date on which that registration expires.

Depending on the size of the organisation, these are the fees payable and the fines that the ICO can impose:

  • Tier 1 (micro organisations, defined as those with a maximum turnover of £632,000 or no more than ten members of staff). Fee: £40 Fine: £400
  • Tier 2 – (SMEs, defined as those with a maximum turnover of £36million or no more than 250 members of staff). Fee: £60 Fine: £600
  • Tier 3 – large organisations (all those not meeting the criteria of Tiers 1 or 2). Fee: £2,900. Fine £4,000

There is a £5 discount for all fee payments by direct debit.

Fines can be increased to a maximum of £4,350 where the ICO considers that there are “aggravating factors.”

Paul Arnold, Deputy Chief Executive Officer at the ICO, said:

“Following numerous attempts to collect the fees via our robust collection process, we are now left with no option but to issue fines to these organisations. They must now pay these fines within 28 days or risk further legal action.

“You are breaking the law if you process personal data or are responsible for processing it and do not pay the data protection fee to the ICO. We produce lots of guidance for organisations on our website to help them decide whether they need to pay and how they can do this.”

The information shown in this article was correct at the time of publication. Articles are not routinely reviewed and as such are not updated. Please be aware the facts, circumstances or legal position may change after publication of the article