Data protection fee regime: proposed changes
Updated 16 January 2025
Ministerial foreword
The Prime Minister is committed to five missions that will drive this government’s programme of work - securing economic growth, making the UK a clean energy superpower, reducing crime, breaking down barriers to opportunities, and building an NHS fit for the future.
Many factors will play a role in achieving these outcomes, but there is one that will underpin them all: data. How we harness data, the opportunities it creates, and the innovations it makes possible will be critical to realising our goals across the missions – whether that is driving productivity across the economy, transforming public services like the NHS or schools, or identifying how to improve opportunities and outcomes for our children.
Much of the data we need to use to achieve these outcomes will be personal data. That is why it is essential that we have a regulatory environment that enables data to be used safely and confidently, underpinned by the highest standards of data protection. And it is why the work of the UK’s independent data protection regulator, the Information Commissioner’s Office (ICO), is so important.
As the Secretary of State for Science, Innovation and Technology, I have a statutory duty to make sure that the ICO has the resources it needs to deliver its regulatory functions – and beyond this, a responsibility to ensure that the ICO remains a forward-looking, world class regulator. That is why I am consulting on an uplift to the data protection fees that fund the ICO’s data protection activities. These fees have not risen in line with inflation since their introduction in 2018, meaning the ICO today is delivering the same level of statutory responsibilities with significantly less real-term income. They also do not take into account the ongoing investment the ICO has needed to make in its capabilities over the last 6 years – and which it will need to continue making - to ensure it can regulate effectively in the rapidly evolving era of digital technologies and AI. An uplift in fees is overdue.
The proposals contained in this document outline a proportionate set of increases to the annual data protection fees that will amount to between £15 - £22 for 99% of fee payers. I am confident this is a reasonable and justified uplift to make in view of the vital work which the ICO undertakes, and one that will ensure the ICO’s ongoing effectiveness in supporting the UK’s data protection framework. However, my final decision on the level of increases will be informed by the outcome of this consultation.
I look forward to hearing your views on the proposals, as well as any additional comments you may have.
Peter Kyle
Secretary of State for Science, Innovation and Technology
Why we are consulting
The ICO is the independent regulator with responsibility for monitoring and enforcing the application of data protection legislation in the UK.
The ICO’s data protection activities are funded by fees paid by data controllers (individuals and organisations that process personal data). The amount of fees payable, as well as exemptions from paying the fees, are set out in the Data Protection (Charges and Information) Regulations 2018 (“the Charges Regulations”).
There are currently three tiers of fees payable, based on an organisation’s size (number of staff) and turnover:
- tier 1 (micro organisations): £40
- tier 2 (small and medium organisations): £60
- tier 3 (large organisations): £2900
A £5 discount applies to payments made by direct debit across all tiers. These fees have not been increased since their introduction in 2018 and the fee for controllers in Tier 1 who pay by direct debit has not changed since 2000.
This consultation is seeking views on proposals to amend the current data protection fees, following a statutory review of the Charges Regulations 2018 as mandated by section 138(3)(a) of the Data Protection Act 2018.
The proposals aim to provide the ICO with the necessary resources to carry out its functions effectively, including to support the successful implementation of the Digital Information and Smart Data Bill announced in the King’s Speech, which will give the ICO new, stronger powers to protect people’s data.
Consultation details
- Issued: 29 August 2024
- Respond by: 3 October 2024
Enquiries to:
ICO Sponsorship and Regulatory Policy Team
Department for Science, Innovation and Technology
1st Floor
22 Whitehall
London
SW1A 2EG
Email: dpfr.consultation@dsit.gov.uk
Consultation reference: data protection fees consultation
Audiences:
We welcome responses from interested individuals and organisations from across the UK.
Given the focus of the consultation, we consider it to have particular relevance to data controllers, including individuals and organisations across the private, public and the Civil Society and Voluntary, Community and Social enterprise sectors, who are currently paying or expect to be required to pay a data protection fee in the future.
Territorial extent:
The consultation is on a UK-wide basis: we welcome responses from organisations and individuals across the UK.
How to respond to this consultation
Submit your responses online here.
This consultation will run until 23:55 on 3 October 2024.
If you would like to provide a response via email, please complete the consultation response form on (available on the consultation web page) and send it to us at dpfr.consultation@dsit.gov.uk.
In exceptional circumstances, if you need to submit a hard copy, please contact us at dpfr.consultation@dsit.gov.uk and we will advise how to do this. Should you require another format (e.g. braille or large font) please contact alt.formats@dsit.gov.uk.
When responding, please state whether you are responding as an individual or representing the views of an organisation.
Your response will be most useful if it is framed in direct response to the questions posed, though further comments and evidence are also welcome.
To help us analyse the responses, please use the online system wherever possible and ensure you have submitted your response before exiting the questions.
This consultation will run until 23:55 on 3 October 2024. Thank you for your interest in responding to this consultation.
After the consultation closes: summary of next steps
The government’s response to this consultation will be published in due course following its closure on 3 October 2024. This will take all responses submitted to this consultation into account and will be based on careful consideration of the points made in responses.
Confidentiality and data protection
Information you provide in response to this consultation, including personal information, may be disclosed in accordance with UK legislation (the Freedom of Information Act 2000, the Data Protection Act 2018 and the Environmental Information Regulations 2004).
If you want the information that you provide to be treated as confidential please tell us but be aware that we cannot guarantee confidentiality in all circumstances. An automatic confidentiality disclaimer generated by your IT system will not be regarded by us as a confidentiality request.
We will process your personal data in accordance with all applicable data protection laws. See our privacy policy.
We will summarise all responses and publish this summary on GOV.UK. The summary will include a list of names or organisations that responded, but not people’s personal names, addresses or other contact details.
Quality assurance
This consultation has been carried out in accordance with the government’s consultation principles.
If you have any complaints about the way this consultation has been conducted, please email: dpfr.consultation@gov.uk.
Executive summary
1. This document sets out the government’s proposals to amend the fees that are payable by data controllers to the ICO. This follows a statutory review of the Charges Regulations 2018 that was launched in 2023.
2. The proposals aim to achieve three objectives, namely:
a. to safeguard an adequate and stable level of funding for the ICO, enabling it to fulfil its existing and future data protection responsibilities;
b. to ensure that the fees are proportionate and that regulatory costs are spread fairly across data controllers; and
c. to ensure that the fee regime is easy to understand and navigate for data controllers and for the ICO to administer.
3. If implemented, the proposals will be the first set of changes to the data protection fees since 2018. They will secure the financial resources required to support the ICO in fulfilling its functions under data protection legislation, including the provision of guidance, advice and support to organisations to enable compliance with data protection obligations, and to achieve full cost recovery in line with HM Treasury’s principles on Managing Public Money.
4. The government is not proposing any changes to the existing three-tiered fee structure itself, including the current tier assessment criteria, nor to the applicable exemptions from paying the charges. This will ensure continuity in the current approach and minimise any disruption in the administration of the fees both for paying data controllers and the ICO.
5. Subject to the outcome of this consultation, the government aims to implement changes to the current fee regime in 2025.
Funding of the ICO
1. The ICO is the UK’s independent regulator with responsibility for monitoring and enforcing the application of data protection legislation in the UK. The ICO has an important, complex and wide-ranging mandate. In addition to being responsible for the regulation of personal data protection, it is empowered to take regulatory action under eleven pieces of legislation, including the Freedom of Information Act 2000 and the Network and Information System Regulations 2018. The Department for Science, Innovation and Technology (DSIT) is the sponsoring government department for the ICO.
2. The ICO’s statutory responsibilities in relation to data protection are funded through the data protection fee, which accounts for the majority of the ICO’s funding overall. This is supplemented by grant-in-aid from the government to fund the ICO’s regulation of other laws outside of data protection.
3. The data protection fees are set out in regulations made by the Secretary of State (the Data Protection (Charges and Information) Regulations 2018). These fees can be amended through secondary legislation using powers at section 137(1) of the Data Protection Act 2018 (DPA 2018). In setting such fees, the Secretary of State has a statutory duty at section 137(4) of the DPA 2018 to have regard to the desirability of securing that the fees payable are sufficient to offset, amongst other matters, the costs of the Information Commissioner carrying out their functions under the data protection legislation.
Current data protection fee regime
4. In May 2018, the government introduced a new data protection fee regime through the Charges Regulations 2018, replacing the previous notification fees which had been in effect since 2000. The regulations set out the fees payable, the information that data controllers are required to provide to the Information Commissioner, the time at which fees must be paid, as well exemptions from the requirement to pay a fee.
5. There are currently three tiers of fees payable annually by data controllers, based on the size and turnover of organisations. A £5 discount applies to payments made by direct debit across all tiers.
- tier 1 (micro organisations - maximum turnover of £632,000 or no more than 10 members of staff): £40
- tier 2 (small and medium organisations - maximum turnover of £36 million or no more than 250 members of staff): £60
- tier 3 (large organisations which do not meet criteria for tier 1 or 2): £2900
6. Fees payable by public authorities are calculated according to the number of members of staff only. Charities and small occupational pension schemes are automatically classified in the lowest tier.
7. The fee regime provides for a number of exemptions from the requirement to pay a fee which are set out in the schedule to the Charges Regulations 2018. The exemptions include manual (i.e. non-automated) processing; processing for personal, family or household purposes; for the purpose of maintaining a public register; for staff administration purposes; for the purposes of advertising, marketing and public relations in respect of a data controller’s own activities; and for the purposes of keeping accounts, records and making financial forecasts. In addition, processing is also exempt if it is carried out by a not-for-profit body for certain purposes; by a judge for the purposes of exercising judicial functions; and by a member of the House of Lords, an elected representative or a prospective representative. Even if exempt from paying a fee, organisations that process personal data are still required to comply with data protection law.
Review of the current fee regime
8. A statutory review of the fee regime was launched in 2023 in line with the requirements set out in Section 138(3) of the Data Protection Act 2018. The review has made several key findings that have informed the proposals in this document:
a. The current fee levels are no longer adequate to offset the costs incurred through the ICO’s statutory responsibilities and the ongoing investment needed to maintain the ICO as an effective, forward-looking regulator. The current fee regime has remained unchanged since 2018. This means that the real term value of the fees has reduced substantially due to inflationary pressures, while the level of regulatory responsibilities that ICO is expected to deliver has remained the same - and is set to grow further with the additional measures outlined in the forthcoming Digital Information and Smart Data Bill. At the same time, the widespread adoption of digital technologies and AI has dramatically changed the regulatory context in which the ICO is required to carry out its data protection activities, requiring an ongoing investment in organisational transformation and upskilling to ensure it can discharge its duties effectively.
b. The current three tier structure is straightforward and easy to navigate for data controllers. The fee structure is by now well established and was designed to align with standard government classifications for micro, small and medium businesses. Organisations can easily determine the fee payable by completing the ICO’s online self-assessment tool. Similarly, the simplicity of the current structure ensures that it is straight forward for the ICO to manage.
c. The exemptions from paying a fee continue to be appropriate. In general, the exemptions are intended to apply to routine, narrowly defined data processing which data subjects would expect to be processed as a matter of course for these matters. In addition, many of these exemptions are in place with the intention of reducing burdens, given that smaller organisations and sole traders often only hold personal data for these specific exempt purposes. A review and consultation in the summer of 2018 confirmed that a majority of respondents believed they were appropriate and fit for purpose.
d. The direct debit discount continues to benefit fee payers and the ICO. The direct debit continues to benefit fee payers across the tiers, especially the micro-organisations and sole traders in tier 1, 63% of whom use the discount. By incentivizing the use of direct debit payments, the discount in turn benefits the ICO by reducing administrative costs and the scope for late or missed payments.
Proposed changes to the fee structure
9. In light of the fee review findings, we are proposing an uplift to the annual data protection fees to ensure the ICO has sufficient funding to discharge its statutory responsibilities effectively, invest in ongoing transformation and provide the best service and support to data controllers. Specifically, we are proposing an increase of 37.2% distributed evenly across the tiers. For data controllers in tiers 1 and 2, this will reflect a modest increase of £15 and £22[footnote 1]. For the largest organisations who make up the tier 3 – organisations that have more than 250 staff and an annual turnover greater than £36 million - the increase is more substantial (£1,079). The indicative fee ranges are set out below in table 1[footnote 2].
Table 1: proposed changes to the fee structure
tier | current fee | proposed indicative fee |
---|---|---|
1 | £40 | £55 |
2 | £60 | £82 |
3 | £2900 | £3979 |
10. The government considers this proposal to be fair and proportionate way to ensure the ICO has the funding it needs to deliver its statutory duties and maintain the best levels of service for data controllers. It equates to a relatively modest set of increases for the 99% of fee payers who make up Tier 1 and 2, whose fees have not changed since 2018; and in assigning a uniform percentage uplift across the tiers, it reflects the fact that fees in each of these tiers have remained static despite inflationary increases since 2018. This is therefore reflected in the increase to fees.
11. The government is not proposing any other changes to the tiering structure, exemptions or direct debit discount. In line with the findings of the fee review, we believe these aspects of fee regime are important in maintaining the overall simplicity and clarity of the fee regime (in the case of the tier structures); in enabling routine, narrowly targeted data processing and reducing burdens on smaller organisations (in the case of the exemptions); and in facilitating the collection of fee income (in the case of the direct debit discount).
12. While the government is not proposing any changes to the tiering structure, exemptions or direct debit discount, we welcome views from stakeholders to ascertain whether these aspects of the fee regime are appropriate and fit for purpose.
Consultation questions
Questions about the respondent
1. Are you responding as an individual or on behalf of an organisation?
- Individual
- Organisation
2. Are you or the organisation you represent a data controller?
- Yes
- No
- Don’t know
3. Which of the following best describes the sector you/your organisation operate(s) in?
- Public sector
- Private sector
- Civil Society and Voluntary, Community and Social Enterprise sector
- Other (please specify)
4. How many staff are employed by you/your organisation?
- 0-10
- 11-250
- More than 250
- Don’t know
5. If applicable, what was your/your organisation’s turnover in the financial year 2023-2024?
- Less than or equal to £632,000
- Greater than £632,000 but less than or equal to £36 million
- More than £36 million
- Don’t know
- Not applicable
6. We may wish to contact you in order to discuss your response in more detail. If you are happy to be contacted, please provide your details below (if responding on behalf of an organisation, please include the organisation details). If not, please move on to the next question.
- [name]
- [email address]
Questions about the level of fees
7. How appropriate do you think the government’s proposal to increase tier 1 fees by £15 is?
- Very appropriate
- Fairly appropriate
- Neither appropriate nor inappropriate
- Fairly inappropriate
- Very inappropriate
- Don’t know/no opinion
Please tell us why you think this.
8. How appropriate do you think the government’s proposal to increase tier 2 fees by £22 is?
- Very appropriate
- Fairly appropriate
- Neither appropriate nor inappropriate
- Fairly inappropriate
- Very inappropriate
- Don’t know/no opinion
Please tell us why you think this.
9. How appropriate do you think the government’s proposal to increase tier 3 fees by £1079 is?
- Very appropriate
- Fairly appropriate
- Neither appropriate nor inappropriate
- Fairly inappropriate
- Very inappropriate
- Don’t know/no opinion
Please tell us why you think this.
10. Do you have any further comments about the government’s proposal to increase fees for all tiers by roughly 37.2% compared to the current levels?
Questions about the fee structure
11. How easy or difficult is the current fee structure to understand?
- Very easy
- Fairly easy
- Neither easy nor difficult
- Fairly difficult
- Very difficult
- Don’t know/no opinion
Please tell us why you think this
12. The government is proposing to not change the criteria for determining the tier of fee payable (annual turnover or number of staff). Do you or the organisation you represent consider the criteria for determining fees to be appropriate?
- Very appropriate
- Fairly appropriate
- Neither appropriate nor inappropriate
- Fairly inappropriate
- Very inappropriate
- Don’t know/no opinion
Please tell us why you think this
13. Do you have any further comments about the government’s proposal to retain the current fee structure?
Questions about the current exemptions
14. Do you currently use an exemption?
- Yes
- No
- Don’t know
15. The government is minded to keep the existing exemptions. Do you agree with this position?
- Yes
- No
- Neither agree nor disagree
- Don’t know
If your answer to the previous question was “no”, please provide more detail as to why you disagree with the proposal to retain the current exemptions.
16. Do you have any further thoughts about the current exemptions?
Direct Debit
17. Have you or the organisation you represent paid your data fee by direct debit in the past 12 months? If you have selected “no” or “don’t know” please skip question 18 and move on to question 19.
- Yes
- No
- Don’t know/not applicable.
18. To what extent would you say that the £5 direct debit discount makes a difference to you/your organisation in terms of reducing costs?
- It makes a significant difference.
- It makes a small difference.
- It does not make a difference at all.
- Don’t know/no opinion
Please tell us why you think this.
19. To what extent do you agree with a proposal to retain the £5 direct debit discount?
- Strongly agree
- Somewhat agree
- Neither agree nor disagree
- Somewhat disagree
- Strongly disagree
- Don’t know/no opinion
Please tell us why you think this.
20. Do you have any further comments about the government’s proposal to retain the direct debit discount?