The Data Protection (Charges and Information) Regulations 2018 came into force in May 2018. Generally, these Regulations mean that Controllers must pay the ICO an annual data protection fee unless they are exempt. The exemptions are relatively limited. The requirement to pay an annual fee replaces the previous requirement to register with the ICO. The fee ranges from £40 to £2900, depending on the tier of organisation. The fee helps to fund the ICO.

In September, the ICO sent over nine hundred letters of intent to organisations that had not paid their fee. The ICO has now announced that it is issuing penalty notices and fining over one hundred of those businesses for failing to pay their data protection fee.

The fines range from £400 to £4000. An additional £350 can be added where specific aggravating factors are present, making the total maximum fee £4350. Organisations will have 28 days to pay their fine and comply with the terms of the notice. Failure to pay within that time may lead to further legal action. Construction and finance companies have been the first sectors in the ICO’s focus.