Organisations fined for not paying data protection fee

Businesses, organisations and sole traders that process personal data must pay an annual data protection fee to the regulator unless they are exempt.

The ICO said it has issued over 900 notices of intent to fine since September to companies which have not paid and 100 final monetary notices are being issued. Fines for not paying the fee can reach up to a maximum of £4,350.

The fee came into force on 25 May to coincide with the Data Protection Act 2018 and the General Data Protection Regulation (GDPR).

Organisations are expected to pay between £40 and £2,900, dependent on where they fall within a three-tier system based on factors including annual turnover, headcount and whether it is a charity.

Those with a current registration under the previous Data Protection Act – prior to 25 May – are not required to pay the new fee until that registration has expired.

Paul Arnold, deputy chief executive officer at the ICO, said: “You are breaking the law if you process personal data or are responsible for processing it and do not pay the data protection fee to the ICO. We produce lots of guidance for organisations on our website to help them decide whether they need to pay and how they can do this.”