In the last couple of months, we’ve been made aware of multiple businesses we work with receiving letters from the Information Commissioner’s Office (ICO), reminding them of their legal obligation to pay a data protection fee.

At first glance, it can look like these letters are a scam, especially in a world where we’re constantly bombarded with junk emails, con artists asking for money and digital fraud. We’re urged to be extremely careful.

But we can confirm these letters are real and legitimate from the ICO.

They have confirmed themselves that they sent letters to the UK’s 4.2 million limited companies at their registered offices.

What is the ICO?

The ICO is the Information Commissioner’s Office, and they are responsible for overseeing information rights in the UK. In practice, that means they monitor how information is used by organisations all around the country, in an effort to protect individuals’ rights.

Remember all the GDPR and data protection legislation from a couple of years ago? Well the ICO is the UK’s independent body tasked with enforcing that. The legislation all still applies in the UK, despite leaving the EU.

Does my company need to pay a data protection fee?

If you handle any kind of personal data electronically, then it’s very likely your company will need to pay a data protection fee.

That includes names, email addresses, physical addresses and IP addresses.

The ICO says:

Every organisation or sole trader who processes personal information needs to pay a data protection fee to the ICO, unless they are exempt.”

It adds that: “if you hold personal information for business purposes on any electronic device…it is likely an annual fee payment is due”.

What is the cost of the data protection fee?

The cost of the data protection fee depends on the size of your organisation and your annual turnover. For most SME businesses, it will be between £40 and £60.

You can see exactly how much your organisation will owe each year here.

Who is exempt?

If your business processes data solely to keep accounts, records of purchases, sales or other transactions, deciding whether to accept any person as a customer or supplier or making financial or financial management forecasts – then it may be exempt.

But if you use that data for any kind of marketing, then you will still need to pay the data protection fee.

If you don’t store any data digitally – just hard copies – you may be exempt too.

The best way to see if you may be exempt or not is to take the short self-assessment quick here.

It’s easy to pay for your data protection fee online, but if you have any queries at all, please do not hesitate to get in touch.

It’s also important to note that failure to pay the fee – when you’re not exempt – could result in a penalty of up to £4,350.

If you handle any kind of personal data electronically, then it’s very likely your company will need to pay a data protection fee. ”

Suzanne Preston

More blog posts


Brightshire are Recruiting!

We're looking a Fully-Qualified or Part-Qualified member of staff on a full-time basis.

The Importance of Bookkeeping & How it differs from Accounting

Bookkeeping is a task often left at the bottom of the priority list, but here's why it's integral to aid decision-making and help your business to thrive. Read more.

Welcome Owen Edwards to Brightshire

Welcome our newest recruit Owen Edwards, Trainee Accountant!