This has been a subject that has been raised frequently. The ICO state an organisation that is a data controller must register unless it is exempt.
We have been looking into where this comes from, and a little known piece of legislation came into force on the 25th May 2018, the same day as GDPR became applicable, it is The Data Protection (Charges and Information) Act 2018.
This Act is what governs the need for registration and the fees involved.
The Act also details the costs of registering with the ICO, there are 3 tiers. Annual costs are:
You can save £5.00 if you pay by direct debit!
Criteria for the tiers are:
The rules are deceptively simple, all organisaions must register unless all their processing is 'exempt'.
The Act contains a 'Schedule' which lays out what is exempt processing. When you look at it, most processing for many businesses will indeed be exempt.
If your organisations line of work is finance, care, education or processing data on behalf of others, or if you use CCTV to detect crime, you almost certainly do need to register.
The ICO have put together a helpful self-assessment tool, it takes almost no time to complete and if you have any concerns give it the 2 minutes it requires.
Even if you are exempt, the ICO helpfully provide a quick link from the end of the self-assessment to pay a data protection fee anyway, and to be honest, given the low costs you may want to, just for peace of mind.
We have also seen a recent example of how the ICO are likely to deal with those who should pay the 'data protection fee' but don't. Noble Design and Build of Telford were prosecuted by the ICO on the 3rd July 2018 for not being registered when the company should have been. The company received a letter, and then an email telling them they needed to register, and other things. This action was taken under the DPA 1998, due to the date of the offence. The total cost for the company is £5,034.08