GDPR: requirement to register

On 25th May 2018 a new data protection regime will come into force through the General Data Protection Regulation (GDPR). Amongst other things, the GDPR (as supplemented by the Data Protection (Charges and Information) Regulations 2018) will change the way the Information Commissioner’s Office (ICO) funds its data protection work.


Requirement to notify

Under the Data Protection Act 1998, organisations were required to notify (or register).

Under the new regime, data controllers are required to pay the ICO what will now be known as a data protection fee. This replaces the requirement to notify under the DPA.


Does this impact on a current registration?

Although the new regime comes into effect on 25 May 2018, this doesn’t mean everyone has to pay a new fee on that date. Organisations who have a current registration under the DPA do not have to pay the new fee until that registration has expired.


How much is the data protection fee?

There are three different tiers of fee, ranging between £40.00 and £2,900.00. These fees are set by Parliament. The tier that organisations fall into depends on factors such as how many members of staff they have and their annual turnover.


Tier 1 – micro organisations.

These have a maximum turnover of £632,000 for their financial year or no more than ten members of staff.

The fee for tier 1 is £40.00.


Tier 2 – small and medium organisations.

These have a maximum turnover of £36 million for their financial year or no more than 250 members of staff.

The fee for tier 2 is £60.00.


Tier 3 – large organisations

If organisations don’t meet the criteria for either tier 1 or tier 2, they have to pay the tier 3 fee of £2,900.00.


It’s important to note that the ICO considers all organisations to be in tier 3 unless and until they tell the ICO otherwise.

There is a discount of £5.00 at the point of payment if the fee is paid by direct debit.


Data protection register

The ICO publishes details of all data controllers who pay the data protection fee. This is available on their website.



It’s the commission of an offence if a controller either:

  • doesn’t pay a fee, or
  • doesn’t pay the correct fee.

The maximum penalty is a fine of £4,350.00 (i.e. 150% of the top tier fee).