ICO: GDPR fees

The introduction of the General Data Protection Regulation will affect fees issued by the Information Commissioner's Office

If you currently have a registration (or notification) under the Data Protection Act 1998, you will not need to pay the new data protection fee until your registration expires. The Information Commissioner's Office (ICO) will write to businesses before this happens, to remind them that the registration is about to expire and to explain what is required.

You can read the draft Data Protection (Charges and Information) Regulations 2018.

The fees are:

  • tier 1 – micro organisations, £40. Maximum turnover of £632,000 for the financial year or no more than 10 members of staff
  • tier 2 – small and medium organisations, £60. Maximum turnover of £36m for the financial year or no more than 250 members of staff
  • tier 3 – large organisations, £2,900. If you do not meet the criteria for tiers 1 or 2, you have to pay the tier 3 fee.

The tier you fall into depends on:

  • how many members of staff you have
  • your annual turnover
  •  whether you are a public authority
  • whether you are a charity
  • whether you are a small occupational pension scheme.

The ICO states that all controllers must pay a fee but many can rely on an exemption.


You don’t need to pay a fee if you are processing personal data only for one (or more) of the following purposes:

  • staff administration
  • advertising, marketing and public relations
  • accounts and records
  • not-for-profit purposes
  • personal, family or household affairs
  • maintaining a public register
  • judicial functions
  • processing personal information without an automated system such as a computer.

The data protection fee: a guide for controllers, published by the ICO, includes a Q&A (pages 6 to 9), enabling businesses to check if they are exempt.