Do you have an unpaid data protection fee?

Have you recently received a letter through the post with the concerning headline of “Unpaid data protection fee. Due by 17 December”?

Data Privacy

To pay or not to pay?

Have you recently received a letter through the post with the concerning headline of “Unpaid data protection fee.  Due by 17 December”?  What was your reaction? Did you think it was a scam and discard the letter (or hopefully, recycle it)?  Did you phone your lawyers in a panic?

Is this a scam?

Well, we’re here to provide you with the answers; the good, the bad and the ugly.

No (but see our warnings about scams below).  The ICO posted a blog Tuesday morning about its campaign to contact organisations who have yet to pay their annual data protection fee.  The data protection fee replaced the requirement to notify the ICO under the old law, the Data Protection Act 1998.  Instead, organisations that act as controllers when processing personal information must pay a fee on an annual basis, unless they are exempt.  More about exemptions below.  

The ICO reviewed the information (publicly and freely) available from Companies House to cross-refer its register of organisations that have already paid the data protection fee.  It appears that the resulting list of organisations (listed on Companies House but who had not paid the data protection fee according to the ICO’s records) were then sent a template letter from the ICO in the post, warning of the consequences of non-payment.

As a side note, this type of letter campaign by regulators often inspires copycat scams.   So we recommend that you read the letter you receive carefully (if you get one).  If the letter asks you to pay a defined sum (rather than instructing you to use the ICO’s calculator) or instructs you to pay any other way than via the ICO’s website, the letter is most likely a scam.  

What do we need to pay?

The fee payable depends upon the nature of your organisation, as well as its size (which can be calculated by number of employees and/or turnover).  The good news is that for charities registered in England, Scotland and Northern Ireland (regardless of size), that fee will be £40 (£35 if you pay by direct debit). However, for commercial organisations the fee can be as much as £2,900 per annum.

For more information about the data protection fee and how it is calculated, see the ICO’s guidance on fees.

Are we exempt?

Perhaps.  Exemptions are available for organisations that process personal information exclusively for one (or more) of the following purposes:

  • Staff administration
  • Advertising, marketing and public relations
  • Accounts and records
  • Not-for-profit purposes
  • Personal, family or household affairs
  • Maintaining a public register
  • Judicial functions
  • Processing personal information without an automated system (such as a computer).
  • Processing personal information by members of the House of Lords, elected representatives and prospective representatives

Just to reiterate – all of your processing of personal information must fall under one (or more) of these exemptions. If you use personal information for any other purposes (for example, if you have CCTV on your premises), these exemptions will not apply.

At first glance these exemptions appear quite broad, almost to the point of covering all organisations!  This is an illustration of how it helps to go back to the law for guidance. Take, for example, the “not-for-profit purposes” exemption.  The Data Protection (Charges and Information) Regulations 2018 clarifies that this exemption only applies to the processing of personal information for the purposes of establishing, administering and providing services to your membership and/or supporters. If you use personal information in any other way (for example, research purposes), you will not fall under this exemption and you will need to pay the fee.

Can you advise on whether we are exempt?

We would love to help, but if you’re a charity or a small organisation the fees for our advice are likely to outweigh the data protection fee payable (£40).  We won’t be offended if you don’t ask us.

The ICO has a self-assessment tool.  Though, more often than not, the tool advises you to pay the fee.  

Can I ignore it?

Have you paid the fee already?  Sure!  If not, we’re afraid not.  Even if you consider yourself exempt, you need to make this case to the ICO through filling out a form, explaining why you fall under the exemption(s).

What does this mean?

If you’ve received a letter, you should:

  1. Check to see if you’ve already paid the data protection fee
  2. Consider whether you fall under the exemptions
  3. Respond – either through the exemption form or by paying the fee

Don’t ignore it.  Failure to respond gives the ICO an easy way to fine your organisation which, in addition to the financial penalty (up to £4,000), could also damage your reputation if the ICO publicises its fines.

This information is necessarily of a general nature and doesn’t constitute legal advice. This is not a substitute for formal legal advice, given in the context of full information under an engagement with Bates Wells.

All content on this page is correct as of December 4, 2019.