bto solicitors - Corporate & Commercial Business Lawyers Glasgow Edinburgh Scotland

  • "really fights your corner..."
    "really fights your corner..." Chambers UK
  • "Consistently high-quality work and client-friendly approach."
    "Consistently high-quality work and client-friendly approach." Chambers UK

The GDPR: What you need to know about the changes to registration and fees

10 October 2017

As the GDPR live date gets ever nearer, we provide you with the relevant updates you need.

Registration with the ICO

Under the current Data Protection Act 1998 (DPA) before an organisation can process personal data, it must notify the ICO and pay a fee for the privilege. This involves telling the ICO what data the organisation collects, and how that data is used. Under the GDPR there is no obligation to inform the supervisory authority that you are processing personal data. For organisations with over 250 employees, there is an obligation to record data processing which is seen as an enhanced form of notification and is part of how an organisation can demonstrate accountability. However in the UK, there will still be a requirement to notify the ICO and the fee structure is changing from 1 April 2018.

How is the ICO funded?

Unlike many of the data protection watchdogs across the EU, the ICO is not funded by the fines that it imposes on those that have breached data protection requirements. Instead, it is funded by the notification fee. This has always been one of the big differences in approach between the UK and other EU countries when it comes to the funding of data protection regulation and enforcement. The ICO’s EU counterparts have often been criticised for imposing higher fiscal fines on breaching data controllers because by imposing higher fines, those regulators can increase their own operating budget. The ICO on the other hand must hand over any money it receives from fines to the Government.

Data Protection Fees

The notification fees that a data controller currently pays range from £35 to £500, depending on the size of the organisation. Although the GDPR will remove the requirement for an organisation to inform the ICO before it collects and processes personal data, the legal requirement for data controllers to pay a fee to the ICO will remain unchanged.

IN a recent blog, the ICO has indicated that the new data protection fee structure will come into effect on 1 April 2018. The fees that will be paid are still being finalised by the Department for Digital, Culture, Media and Sport, in consultation with the ICO and other stakeholders. Ultimately, Parliament will approve the final fees before they go live.

The ICO has said that the new fee structure is designed to fairly reflect the level of risk involved in processing personal data. However, the fee payable by a data controller will still mainly depend on the size and turnover of the organisation, as well as how much data it processes.

We should receive further information on the new fee structure by the end of 2017.

For more info visit our GDPR updates page.


Paul Motion, Partner and Solicitor Advocate, / T: 0131 222 2939


“The level of service has always been excellent, with properly experienced solicitors dealing with appropriate cases" Legal 500

Contact BTO


  • 48 St. Vincent Street
  • Glasgow
  • G2 5HS
  • T:+44 (0)141 221 8012
  • F:+44 (0)141 221 7803


  • One Edinburgh Quay
  • Edinburgh
  • EH3 9QG
  • T:+44 (0)131 222 2939
  • F:+44 (0)131 222 2949