Within days of the Prime Minister Keir Starmer warning of a “painful” October budget and that “those who made the mess should have to do their bit to clean it up”, the Department for Science, Innovation and Technology issued a consultation on its proposals to impose inflation busting increases to the fees payable by data controllers to the Information Commissioner, the data protection and information rights regulator.

The Information Commissioner’s Office is primarily funded by a combination of the data protection fee and a proportion of the income from fines it imposes, which it is permitted to retain to cover internal and external legal costs for enforcement action and litigation in accordance with its netting off agreement with HM Treasury, which are intended to cover the costs of its statutory duties in relation to data protection regulation. This income is supplemented by a grant-in-aid to cover the costs of its statutory duties under information access legislation (e.g. the Freedom of Information Act 2000).

Section 137 Data Protection Act 2018 makes provision for the Secretary of State to make regulations requiring controllers to pay charges to the Commissioner and, in setting the charges, is required to have regard to the desirability of securing that the charges payable are sufficient to offset the cost of the ICO discharging its functions under the UK GDPR and Data Protection Act 2018, the Data Protection Act 1998, sections 108 and 109 of the Digital Economy Act 2017, and the Privacy and Electronic Communications Regulations 2003.

The Data Protection (Charges and Information) Regulations 2018 (SI 2018/4880) established 3 tiers of controller, being (i) tier 1 - micro, (ii) tier 2 - small and medium organisations and (iii) tier 3 - large organisations.

Until today, 17 February 2025, charities, small occupational pension schemes, organisations with a turnover of less than or equal to £632,000 or with 10 or fewer members of staff are tier 1 - micro organisations and were liable to pay a fee of £40 per annum.

Organisations not in tier 1 and with an annual turnover of £36 million or less or 250 or fewer staff are tier 2 – small and medium organisations were liable to pay a fee of £60 per annum.

Organisations not falling within tiers 1 or 2 are tier 3 – large organisations were liable to pay a fee of £2,900 per annum.

A £5 discount is available for all fees paid by direct debit. 

In determining the relevant fee, no consideration is given to the sector in which the controller operates or the nature or volume of the personal data being processed. While the ICO did not include details of the sectors generating the most data protection complaints in its 2023-24 annual report, and its categorisation of sectors in previous reports has varied so direct comparisons cannot be made, in both 2021-22 and 2022-23 the sectors generating the most data protection complaints were: the land and property services sector; the finance, insurance and credit sector; and, the health sector. Together these accounted for approximately one third of all complaints. In relation to personal data breaches, the health, education and childcare sectors have consistently seen the highest reporting although this is perhaps unsurprising given that the risks associated with the breach of children’s data or health data are more likely to make such breaches reportable.

Public bodies are obliged to pay the fee in the same way as businesses, save that the turnover threshold is inapplicable and their payment is therefore based on their size.

Several exemptions are set out at paragraph 2 of the Schedule to The Data Protection (Charges and Information) Regulations 2018 excusing controllers from having to pay the data protection fee, including where personal data is processed: solely for personal, family or household affairs; without the use of or intention to use automated means; only in relation to the administration of the controller’s own staff, volunteers and/or contractors; and/or only for the purpose of the advertising, marketing and PR of the controller’s own business, activity, goods or services.

In August 2024, the Department for Science, Innovation & Technology published a consultation to implement what it described as a “proportionate set of increases to the annual data protection fees” but which were in fact inflation busting, adding to the burdens on business imposed by the new Labour government. Notwithstanding the Prime Minister’s suggestion that there should be a ‘polluter pays’ approach to the cost of regulation, the consultation proposed to maintain the current fee tier structure, the available exemptions from paying the fee, and the direct debit discount. 

The new proposed fees were:

              Current Fee    Proposed Fee    Increase

Tier 1     £40                   £55                        37.5%

Tier 2    £60                   £82                       36.6%

Tier 3    £2,900             £3979                   37.2%

In January 2025, the government published its response to the consultation, indicating that while it would reduce the amount by which the fees would increase, it did intend to proceed. Consequently, on the eve of Data Protection Day 2025, the government laid before Parliament The Data Protection (Charges and Information) (Amendment) Regulations 2025 (SI 2025/63), meaning that from 17 February 2025 onward the fees payable is as follows:

Current Fee    Fee from 17.02.25  Increase

Tier 1     £40                    £52                            30%

Tier 2    £60                    £78                            30%

Tier 3    £2,900              £3763                       29.8%

The government has emphasised its commitment to reducing regulatory burdens, calling on regulators to prioritise innovation and growth, although one of Labour’s own MP’s, James Frith, disputed the “the false choice of innovate versus regulate” in the recent House of Commons debate on the Data (Use and Access) Bill. The Information Commissioner’s Office’s own scorecard reveals that since Q4 of 2023/24 it has consistently failed to meet its target of assessing and responding to 80% of data protection complaints within 90 days and is getting progressively worse, with its performance in Q2 2024/25 languishing at 35.9%. Since a mere 0.02% of cases (2022 and 2023) result in ICO regulatory action, it is perhaps difficult to imagine how much less the data protection regulator could be doing in order to stimulate growth, but it will certainly be better funded while doing it.

Should you require support in determining whether you are obliged to pay the data protection fee, or how to get started with your data protection compliance, please contact us.

Find out more about our data protection and data privacy services.