Who needs to register with the ICO

Legal Update


This has been a subject that has been raised frequently. The ICO state an organisation that is a data controller must register unless it is exempt.

We have been looking into where this comes from, and a little known piece of legislation came into force on the 25th May 2018, the same day as GDPR became applicable, it is The Data Protection (Charges and Information) Act 2018.

This Act is what governs the need for registration and the fees involved.

Costs of registration

The Act also details the costs of registering with the ICO, there are 3 tiers. Annual costs are:

  • Tier 1 - £40
  • Tier 2 - £60
  • Tier 3 - £2,900

You can save £5.00 if you pay by direct debit!

How the tier is calculated

Criteria for the tiers are:

  • Tier 1 - charities, or up to 10 staff and less than £632,000 annual turnover
  • Tier 2 - 11 to 250 employees and annual turnover less than £36 million
  • Tier 3 - everyone else

Who needs to register

The rules are deceptively simple, all organisaions must register unless all their processing is 'exempt'.

The Act contains a 'Schedule' which lays out what is exempt processing. When you look at it, most processing for many businesses will indeed be exempt.

  • Staff administration (including payroll)
  • Accounts or records (ie invoices and payments)
  • Advertising, marketing and public relations (in connection with your own business activity)

If your organisations line of work is finance, care, education or processing data on behalf of others, or if you use CCTV to detect crime, you almost certainly do need to register.

What you need to do

The ICO have put together a helpful self-assessment tool, it takes almost no time to complete and if you have any concerns give it the 2 minutes it requires.

Even if you are exempt, the ICO helpfully provide a quick link from the end of the self-assessment to pay a data protection fee anyway, and to be honest, given the low costs you may want to, just for peace of mind.

Are the ICO policing it?

We have also seen a recent example of how the ICO are likely to deal with those who should pay the 'data protection fee' but don't. Noble Design and Build of Telford were prosecuted by the ICO on the 3rd July 2018 for not being registered when the company should have been. The company received a letter, and then an email telling them they needed to register, and other things. This action was taken under the DPA 1998, due to the date of the offence. The total cost for the company is £5,034.08

If you need advice about GDPR, contact us!

FREE initial consultation!

Call now on 0800 2800 679

eMail enquiries@dept679.com