22 June 2018

The recent arrival of the General Data Protection Regulation (GDPR) reminded everyone that data controllers (individuals and organisations that process personal data) have to pay a charge to the Information Commissioner’s Office (ICO).

The ICO is the UK’s independent body set up to uphold information rights and its work is largely funded by these charges.

These do not apply to everyone, however, and the Department for Digital, Culture, Media & Sport (DCMS) has decided to seek views on how the system is currently working.

Its consultation, which will be open for comments until 1 August 2018, can be found at https://bit.ly/2JThNZqand asks whether the current exemptions from paying charges are still appropriate and whether there should be any new exemptions.

Current charges

These came into effect on 25 May 2018 with the Data Protection (Charges and Information) Regulations (https://bit.ly/2GX3sWq).

There are three levels of charge:

  • tier 1 (micro organisations) £40;

  • tier 2 (small and medium organisations) £60; and

  • tier 3 (large organisations) £2900.

A £5 discount applies to all organisations where they pay by direct debit.

Tier 1 means a turnover of less than or equal to £632,000, or having no more than 10 staff or being a charity or small occupational pension scheme.

Tier 2 means a turnover of less than or equal to £36 million, or no more than 250 staff, while any organisation not falling into either of the first two is automatically considered to be Tier 3.


The exemptions on which the new consultation focuses can be found in the Schedule to the above Regulations.

They concern people and organisations that process personal data only for one or more of the following ‘core business purposes’:

  • Staff administration (including payroll);

  • Advertising, marketing and public relations (in connection with their own business activity); and

  • Accounts and records (except in relation to processing of personal data by or obtained from a credit reference agency).

Other exemptions include processing for the purposes of:

  • Judicial functions; and

  • Personal, family or household affairs (including recreational purposes.

Finally, some not-for-profit organisations are exempt as are data controllers processing personal data only for maintaining a public register (such as the Electoral Roll) and data controllers that do not process personal data by automated means, or with the intention that it be processed by automated means.

Given that most of the exemptions date back many years, and to a time when digital processing of personal data was not undertaken on anything near the scale it is today, the Government considers that there is merit in reviewing the exemptions to ensure that they are still appropriate to the current time, and “fit for the digital age”.