Skip to content

Menu

LexBlog, Inc. logo
NetworkSub-MenuBrowse by SubjectBrowse by PublisherJoin the NetworkGet StartedSubscribeSupport
Contact Us
Search
Close

New Fee Charging Structure to Fund the UK Information Commissioner’s Office

By Sam Choi on March 8, 2018
Email this postTweet this postLike this postShare this post on LinkedIn

The UK Government has announced a new three-tier charging structure for data controllers to ensure the continued funding of the Information Commissioner’s Office (ICO) to come into effect on 25 May 2018 to coincide with the GDPR coming into force.

Currently, organisations that are controllers of personal data are legally required to register details of their processing activities with the ICO and pay a notification fee of £35 or £500, unless they are exempt.

This two-tier structure will be replaced by a three-tier annual fee structure based on the relative risk to the data that an organisation processes.  This will be measured according to a number of factors, including size, turnover, and whether an organisation is a public authority or charity.

 The three-tier fee structure is as follows:

     Tier 1
Micro organisations.
Maximum turnover of £632,000 or no more than ten members of staff.

Fee: £40 (or £35 if paid by direct debit)
     Tier 2
Small or medium organisations.
Maximum turnover of £36 million or no more than 250 members of staff.

Fee: £60
     Tier 3
Large organisations.
Those not meeting the criteria of Tiers 1 or 2.

Fee: £2,900

This new fee structure will come into effect on 25 May 2018, so until then, organisations are legally required to pay the current notification fee under the two-tier structure, unless they are exempt.  There will continue to be financial penalties for not paying fees, but these will be in the form of civil monetary penalties rather than a criminal sanction.

Exemptions

Generally, organisations that are controllers of personal data are required to pay the notification fee.  However, there are exemptions for organisations that process personal data only for one (or more) of the following purposes:

  • Staff administration
  • Advertising, marketing and public relations
  • Accounts and records
  • Not-for-profit purposes
  • Personal, family, or household affairs
  • Maintaining a public register
  • Judicial functions
  • Processing personal information without an automated system as a computer.

It is important to note that even if there is an exemption to paying a fee, there is still a need to comply with other data protection obligations.

In the meantime, the ICO has stated, “if you renewed or registered before 25 May 2018 under the 1998 Act, that registration will be valid for 12 months,” so data controllers do not need to pay another fee until their current notification has expired.

Photo of Sam Choi Sam Choi
Read more about Sam ChoiEmail
  • Posted in:
    Privacy and Cybersecurity
  • Blog:
    HL Chronicle of Data Protection
  • Organization:
    Hogan Lovells

Call us at 1-800-913-0988 or email sales@lexblog.com.

Facebook LinkedIn Twitter RSS
  • About LexBlog
  • The Field We Built
  • Our Beliefs
  • Our Team
  • Contact LexBlog
  • Disclaimer
  • Editorial Policy
  • Terms of Service
  • Get Started
  • Publishing Solutions
  • Compass
  • Submit a Request
  • Support Center
  • System Status
Copyright © 2026, LexBlog, Inc. All Rights Reserved.
Law blog design & platform by LexBlog LexBlog Logo