Under powers granted under the DPA 1998, organisations that process personal data had fees levied to fund the ICO’s data protection work unless they were exempt.
When GDPR comes into force on 25th May 2018, this will change.
The Existing System
Under the existing fee structure, most organisations, including charities are required to pay a fee of £35.
If the organisation has a turnover of more than £25.9M and more than 249 members of staff, OR if the organisation is a public authority with more than 249 staff members, the fee is £500.
The New System
Under the new system, a three tier system for registration has been proposed to parliament, with various factors being taken into account, such as size and turnover of the organisation, and whether the organisation is a public authority or a charity.
In summary, the proposed fees are:
• Tier 1 – micro organisations. Maximum turnover of £632,000 or no more than ten members of staff. Fee: £40 (or £35 if paid by direct debit)
• Tier 2 – SMEs. Maximum turnover of £36 million or no more than 250 members of staff. Fee: £60
• Tier 3 – large organisations. Those not meeting the criteria of Tiers 1 or 2. Fee: £2,900
The fees are set by Parliament to reflect what it believes is appropriate based on the risks posed by the processing of personal data by controllers.
Once approved (and it seems likely it will be) the new structure will come into effect on 25th May to coincide with the GDPR.
Do I Still Need to Register?
Until the 25th May, organisations are still legally required to pay the current notification fee (unless exempt).
There are, as now, some organisations that can try and claim an exemption to notifying and paying the fee.
Note: this is not an exemption to having to comply with the GDPR(!)
The ICO has an easy self-assessment which can guide you.
Our advice: it will probably take you more time and resource to try and assess whether you qualify for an exemption, and more time and effort to explain to anyone who asks “why is your organisation not registered” than it will to simply register and pay the fee.
Great News for Charities
Charities that are not subject to an exemption will only be liable to pay the Tier 1 fee, regardless of size or turnover. Bottom Line.
If you were registered with the ICO previously, yes you need to continue to be registered, and going forward, the fee for registration for a charity will not exceed £40.
You will not need to provide the same level of detail you currently need to provide to the ICO (about purposes and Categories of Data Subject, for example)… but this is only because you should instead be maintaining your Record of Processing Activity (ROPA) yourself.
For more detailed information, the ICO guidelines document is available here: