Small businesses were suddenly put under the spotlight when the EU’s General Data Protection Regulation (GDPR) came into force in 2018. The Data Protection Act 2018, which implements GDPR provisions in the UK, requires organisations that process personal information to register with the ICO.
The ICO (the Information Commissioner's Office) is an independent body dedicated to upholding information rights in the public interest and data privacy for individuals in the UK. It enforces the provisions of the Data Protection Act and the GDPR as well as other important pieces of legislation such as the Freedom of Information Act and the Privacy and Electronic Communications Regulations.
One of the main aims of the ICO is to ensure that organisations comply with data protection laws. This entails making sure they process personal information in a fair and transparent manner that respects an individual’s rights. The ICO has a duty to investigate complaints from members of the public and can impose hefty fines on businesses that are seen to be flouting data protection rules.
As part of the Data Protection Act, any entity that processes personal information will need to register with the ICO and pay a data protection fee unless they are exempt. This is the case for every type of company from sole traders and SMEs through to multinational corporations.
There are some exemptions to the rules. You are not required to register with the ICO and pay a fee if you are only processing personal data for staff administration, accounts and records, not-for-profit reasons, personal or family affairs, and advertising, marketing and public relations purposes. Though unlikely, you are also exempt if you only keep paper records and do not use an automated system such as a computer to process personal information.
However, even if you fall into one of these categories but your business uses CCTV for crime prevention purposes, you will still need to register and pay the fee.
You can use the ICO self-assessment form to determine if you are exempt or not.
If you aren’t exempt (and this is most likely to be the case), you’re required to pay a yearly fee that’s set by Parliament. The fee depends on the size of your business - most notably, how many staff you employ and what your annual turnover is.
There are three payment tiers ranging from £40 to £2900. The vast majority of businesses will pay either £40 or £60 per year and, if you pay by direct debit, this is lowered by £5 per year. Choosing the direct debit option can be a useful tactic if you don’t want to forget to renew your registration.
The three payment tiers and the associated annual costs are:
Tier 1 - micro organisations
If you have a maximum turnover of £632,000 for your financial year or no more than 10 employees, the fee is £40.
Tier 2 - small and medium organisations
If you have a maximum turnover of £36 million for your financial year or no more than 250 employees, the fee is £60.
Tier 3 - large organisations
If you exceed the figures stated in tiers 1 and 2, you will be in tier 3 and the fee is £2,900.
There are a couple of exceptions to these payment tiers. Public authorities only need to categorise themselves based on staff numbers. Charities and small occupational pension schemes pay £40 regardless of their turnover or staff numbers.
You can pay your data protection fee online via the ICO website. If it’s the first time you’re submitting a payment, you’ll need to fill out a form. This can take around 15 minutes. You’ll need your company registration number (if you have one), the number of employees you have, your contact details, and your bank or card details.
Paying the small yearly fee is a much better option than the alternative. Businesses that don’t adhere to the rules and fail to pay their yearly fee can be fined up to £4,350 by the ICO.
On top of this, the ICO publishes a list of all fee-paying companies. So, if your business isn’t on that list, it becomes obvious to your customers and suppliers quite quickly. Paying the fee and getting yourself on the list not only helps you avoid financial penalties, but it’s also seen as a sign that you’re aware of your data protection obligations.