This article is more than 1 year old

Er, we have 670 staff to feed now: UK's ICO fines 100 firms that failed to pay data protection fee

Enforcing GDPR is expensive work, says watchdog

More than a hundred firms have been fined for failing to pay fees that the UK's overstretched data protection watchdog needs to feather its nest.

Since May, data controllers – orgs that define how and why personal data is processed – have been required to pay higher fees to the Information Commissioner's Office.

If they don’t, the ICO can fine them up to £4,000, and they are able to levy an extra £350 on the most egregious cases.

The body has been sending out warning letters to companies that haven't made the payment, with more than 900 issued.

Today it announced it was issuing 100 of these bad apples, in the business services, construction and finance sectors, with monetary penalties.

"More fines are set to follow," the ICO added.

The body has a vested interest in these data protection fees because – as opposed to the fines it hands out for breaches of data protection laws – that cash goes straight back into its coffers.

The money is to fund the ICO's work investigating data breaches and complaints, its advice line and other resources it offers to organisations and the public.

"The ICO has grown over the last two years to meet its wider data protection remit and responsibilities following GDPR. It now employs 670 staff," it said, pointedly.

Deputy CEO Paul Arnold said the ICO had made "numerous attempts" to bring in the fees using a "robust collection process" and warned those who have been fined must pay within 28 days or risk further legal action.


What's an RDBMS? Don't ask the UK's data protection watchdog


He said organisations are breaking the law if they process personal data, or are responsible for processing it, and don't pay the fee.

The fees work on a tiered structure based on staff numbers and maximum turnover: organisations with fewer than 10 staff pay £40, SMEs pay £60 and those with more than 250 staff or a £36m-plus turnover have to pay £2,900.

The fines are tiered too, up to £400, £600 and £4,000, respectively.

The ICO didn't name the organisations that had been handed the fines. ®

More about

More about

More about


Send us news

Other stories you might like