Have you paid the data protection fee?


The Information Commissioner’s Office (ICO) has started enforcement action against a number of care homes that have failed to pay the data protection fee.

Under data protection law, all organisations that process personal data must pay a fee to ICO to become a registered data controller.

The fee, which came into force on 25 May 2018 to coincide with the new Data Protection Act (2018) and the General Data Protection Regulation (GDPR), costs no more than £35 for very small organisations, while larger organisations are required to pay up to £2,900.

However, businesses that fail to pail the fee could face a maximum fine of £4,350.

Paul Arnold, Deputy Chief Executive Officer at the ICO, said the care home sector is currently under-represented on the register of data controllers and risks enforcement action if care home bosses fail to register their organisation.

The report adds that there are exemptions from paying the fee but care homes process “particularly sensitive personal information” for “health administration and patient care purposes” and are therefore not exempt.

Commenting on the recent enforcement action against care homes, Mr Arnold said: “We expect the notices we have issued to serve as a final demand to these businesses and that they will pay before we proceed to a fine. But we will not hesitate to use our powers if necessary.

“All organisations that are required to pay the data protection fee must prioritise payment or risk getting a formal letter from us outlining enforcement action.”

For more information on the data protection fee, please click here. For help staying compliant with GDPR, please get in touch with our expert team.