Guide to the Data Protection Fee

data protection feeOur guide to the Data Protection Fee looks at the ICO’s recent published guidance on the new data protection fee, which looks at the Governments’ new charging structure for data controllers. The fee will help to ensure the continued funding of the Information Commissioner’s Office (ICO) and will be based on a 3-tier model.

Whilst the model still needs to be approved by Parliament, the ICO’s Guide to the Data Protection Fee aims to help data controllers understand the new funding model and calculate what they will be required to pay from 25 May 2018.

Summary of the New Fee Model

The ICO have provided a 17-page document with guidance, fee amounts, calculating the fee, exceptions and exemptions, with the new model including: –

  • Controllers with existing DPA registration won’t pay the new fee until that registration has expired
  • There will be 3 fee tiers between £40 – £2,900
  • The tiers are based on numbers of employees and annual turnover
  • There will be some exceptions for public authorities and charities
  • Payments by Direct Debit get a £5 discount
  • The fee covers a 12-month period
  • Failure to pay or notify the ICO of exemption can lead to a fine of up to £4,350

Calculating the Data Protection Fee

Calculating the fee you will pay for data protection registration is relatively simple, although the ICO will publish an online self-assessment tool for calculating fees prior to 25th May.

  • Tier 1 (£40) – max turnover of £632,000 for financial year; or no more than 10 employees
  • Tier 2 (£60) – max turnover of £36 million for financial year; or no more than 250 employees
  • Tier 3 (£2,900) – outside criteria for tier’s 1 or 2

Public authorities will be able to calculate their fee based on employee numbers only (not factoring in turnover) and charities not otherwise subject to an exemption, will only be liable to pay the tier 1 fee.


Those processing personal data for only the below purposes may be exempt from paying a fee (however, the guide also lists circumstances, services & business types that are not exempt): –

  • Staff administration
  • Advertising, marketing and public relations
  • Accounts and records
  • Not-for-profit purposes
  • Personal, family or household affairs
  • Maintaining a public register
  • Judicial functions
  • Processing personal information without an automated system such as a computer

Further Information

For further information about the fees, calculations and exemptions, read the ICO’s Guidance on the Fees for Data Protection.