Fees for data controllers under GDPR

This blog has been updated. It was originally published 4th April 2018.

The introduction of GDPR (General Data Protection Regulation) in May 2018 did not remove the need to register annually with the Information Commissioner’s Office.

If you are classified as a Data Controller (an organisation that decides the purposes and means by which personal data is processed) you will still need to register with the ICO and pay the relevant registration fee.

If you’re not sure whether you need to register or not, you can do so by using ICO’s Registration self-assessment tool.

The cost of registering as a data controller

Organisations that process personal data are being charged a fee dependent upon which of three tiers they fall within:

  • Tier 1 is for “micro organisations” – including those with an annual turnover of less than £632,000, 10 members of staff
  • Tier 1 also includes charities and small occupational pension schemes, regardless of size or turnover
  • Tier 2 is for “SME organisations” – including with a turnover of no more than £36 million, or no more than 250 personnel
  • Tier 3 is for “large organisations” (all other organisations)

The fee categories associated with each of these tiers is as follows (a £5 discount will apply for direct debit payments):

  • Tier 1 – £40
  • Tier 2 – £60
  • Tier 3 – £2,900

Public authorities will be charged in accordance with their number of personnel and not their annual turnover.

Some exemptions to the new fee schedule applies if one or more of the following situations applies:

  • Personal and family data processing
  • Employee administration
  • Accounts and records
  • Judicial functions
  • Not-for-profit activities
  • Advertising, marketing and public relations
  • Maintaining a public register
  • Personal data processing not undertaken on an electronic device

To find out more, review this detailed ICO guidance on GDPR fees, which will help you to prepare and budget accordingly.