Main Image

Draft Data Protection (Charges and Information) Regulations 2018 and guide published

The draft Data Protection (Charges and Information) Regulations 2018 (the Regulations) have now been published and will replace the current Data Protection (Notification and Notification Fees) Regulations 2000. The final version of the Regulations will come into force on 25 May 2018 in line with the General Data Protection Regulation (GDPR). The draft Regulations, as always, are subject to Parliamentary approval. However, given the limited time before they are due to take effect, they are unlikely to change. 

The ICO has recently published a fee guide for controllers which you can download here.

The draft Regulations set out the following:

  • When data controllers will be required to provide information to the Information Commissioner's Office (ICO) and pay a charge associated with the processing of personal data.
  • An annual charge to the ICO is required unless all processing undertaken by the controller is exempt. The ICO has also published a guide to the draft Regulations on how controllers can determine whether they are exempt from this requirement. The guide also outlines the ICO's intention to publish an online exemption assessment tool by 25 May 2018 to assist.
  • Special provisions must be made where there is more than one data controller in respect of personal data. For example, in the case of a governing body and headteacher of a school.
  • Different fee levels. There are three tiers of charges (£40, £60 and £2,900) depending on the data controller's turnover, number of staff and organisation type. Information that must be provided includes the name and address of the controller. 
  1. Tier 1 (£40) applies to micro organisations with a turnover of up to £632,000 or up to 10 members of staff;
  2. Tier 2 (£60) applies to small and medium organisations with a turnover of up to £36,000,000 or up to 250 members of staff; and
  3. Tier 3 (£2,900) applies to organisations who exceed the turnover and numbers of staff in Tier 2.

Key information to note:

  • If you have registered before 25 May 2018, you do not need to re-register in line with the GDPR. Your current registration will remain valid for 12 months and you will not need to pay the new fees until your current registration expires.
  • There is a monetary penalty of £4,350 for not registering.
  • The information about your Data Protection Officer (DPO) may also be collected through this process. However, this is not a requirement of the Regulations - it is just for convenience. Their name will be published if the DPO gives their consent.
  • Charities and small occupational pension schemes are only required to pay the Tier 1 fee, regardless of size or turnover.
  • Public authorities should categorise themselves according to staff numbers only. They do not need to take turnover into account. 
The ICO has recently published a fee guide for controllers which you can download here.


If you would like more information or advice relating to this article or an Employment law matter, please do not hesitate to contact Chris Cook on 01727 798089.

© SA LAW 2018

Every care is taken in the preparation of our articles. However, no responsibility can be accepted to any person who acts on the basis of information contained in them alone. You are recommended to obtain specific advice in respect of individual cases.

SA Law's GDPR Assist

We can help you tackle the new data protection legislation head-on with a range of bespoke services including our fixed-price GDPR Response Toolkit.

more info
Data Protection Bill under challenge

Gemma Jones explains the immigration exemptions within the upcoming GDPR.

more info
GDPR and Information Security: Are your employees trained to protect data?

With just a short while before the General Data Protection Regulation (GDPR) is implemented into UK law, there are many good reasons to check whether…

more info
Draft Data Protection (Charges and Information) Regulations 2018 and guide published

The draft regulations are of course, subject to Parliamentary approval but, given that there is limited time until the GDPR, they are unlikely to change.

more info
Fill in the details

Head of Employment and Data Chris Cook examines the importance of staff training when it comes to payroll and the looming GDPR.

more info
GDPR: 12 key changes

Emma Gross explains the 12 key changes to data protection law you need to know.

more info
GDPR Definitions & Who's Who

Helping you get up to speed with everything GDPR

more info
A Roadmap to GDPR Compliance

From 25th May 2018, The General Data Protection Regulation (GDPR) becomes law in the UK.

more info
GDPR: What should I be doing?

Following a successful run of GDPR compliance events, SA Law's Data & Privacy team share how you can start preparing for the GDPR.

more info

Solicitor Emma Gross explains why HR professionals should revisit their data protection practices ahead of the GDPR

more info