Cookies on Pinsent Masons website

Our website uses cookies and similar technologies to allow us to promote our services and enhance your browsing experience. If you continue to use our website you agree to our use of cookies.

To understand more about how we use cookies, or for information on how to change your cookie settings, please see our Cookie Policy.

ICO fines businesses over data protection fee

More than 100 organisations have been fined by the UK's Information Commissioner's Office (ICO) for failing to pay the data protection fee.30 Nov 2018

The ICO said that organisations in construction, finance and other areas of business were among those issued with penalty notices. The watchdog said that, since September this year, it has issued more than 900 notices of intent to fine organisations for non-payment of the data protection fee.

Organisations responsible for how personal data is handled are generally obliged to pay a data protection fee each year to fund the monitoring of compliance and enforcement of data protection law in the UK.

A rate of £40 for micro organisations, £60 for small and medium organisations, and £2,900 for large organisations applies, with the fee payable by all data controllers operating in the UK, unless an exemption applies. The Information Commissioner's Office (ICO) issued guidance on the topic of the data protection fee earlier this year.

Exemptions to payment apply to certain types of data processing. For example, an exemption applies where organisations only process personal data for staff administration purposes, advertising, marketing and public relations purposes, and/or accounts and records purposes, other than when processing personal data by or obtained from a credit reference agency.

Data controllers that do not process personal data by automated means, or with the intention that it be processed by automated means, are also exempt from the fee.

Businesses that do not qualify for an exemption can be fined up to £4,350 for not paying the data protection fee if "aggravating factors" apply.

Paul Arnold, the ICO's deputy chief executive, said: "Following numerous attempts to collect the fees via our robust collection process, we are now left with no option but to issue fines to these organisations. They must now pay these fines within 28 days or risk further legal action."

"You are breaking the law if you process personal data or are responsible for processing it and do not pay the data protection fee to the ICO. We produce lots of guidance for organisations on our website to help them decide whether they need to pay and how they can do this," he said.

Rif Kapadi, a data protection law expert at Pinsent Masons, the law firm behind Out-Law.com, said: "Although the fines for this type of breach are far lower than those that can arise under GDPR itself and no longer attach criminal liability, 900 notices to those that have failed shows a systematic approach to enforcement which may lead to further enquiry on wider practices."