Feb 12, 2021 | GDPR

A Letter From the ICO

Howard Freeman

Howard Freeman

Many businesses have now received a letter from the ICO asking for a registration fee of £40 or £60. We are being asked all the time whether or not the letter is genuine and whether a business needs to pay.

a letter from the ICO

Every organisation or sole trader who processes personal information needs to pay a data protection fee to the ICO, unless they are exempt. Very few businesses are actually exempt.

Under the Data Protection (Charges and Information) Regulations 2018, individuals and organisations that process personal data need to pay a data protection fee to the Information Commissioners Office (ICO), unless they are exempt. 

From 25 May 2018, people who use CCTV for domestic purposes, i.e. to monitor their property, even if it films beyond the boundaries of their property will be exempt from paying a fee under data protection law.

registration fee

Take the Test.

If you are a not for profit business or a charity, you may be exempt. We recommend you take the ICO’s test. It will only take you a few minutes and you can find the test here.

At the end of the test you will be told whether you are exempt or to pay now. Most businesses are unlikely to be exempt.

Scam or not?

If you have received a letter from the ICO and you are concerned it might be a scam, here is what you can do. Do NOT follow any of the links on the letter or call any of the numbers in the letter.

In the first instance, head to the ICO’s website and find the registration fee page which you can find here. Complete the self assessment and pay the fee.

In reality, most businesses should have registered some time ago. A business that hasn’t registered is generally not compliant. A well thought out GDPR compliance project would have captured the need for this registration fee. If you have this letter, perhaps this is the time to consider whether you are actually compliant.

Am I Compliant?

Simply having a privacy notice simply isn’t enough! A few documents that were downloaded from the web is not compliance. Many companies simply grab templates polices, add their name and claim compliance. Nothing could be further from the truth. It is absurd for any business leader to claim this.

Data classification and mapping is a must and understanding of risk of processing should be carried out before any polices and procedures are written.

My HR Person sorted it all out…

We hear this frequently. It is likely that HR clauses have been added but this isn’t compliance. There are many great HR experts around but they are not GDPR and data protection experts. There will be little risk assessment work being carried out. Simply changing wording on documents is not compliance.

We also hear that companies offering other business services do ‘a bit of GDPR’. Again, this is likely to leave holes in your compliance and unlikely to cover off new legislation. This will include the changes that have come in since Brexit.

If you are not sure of your GDPR status, we would be happy to carry out your annual audit for you. I bet you didn’t know you had to carry one out!

GDPR is not a tick box, one-off, set and forget exercise. Data Protection and GDPR is a journey in the same way that your business plan continually evolves. So, if you receive a letter from the ICO, think about your overall compliance.

If you would like to know more about GDPR compliance then you can contact us on 03333 22 1011 or via our web site here. Alternatively you can book your free GDPR consultation directly with one of the the team here.


Can we help?