Obligation to have a Data Protection Licence
The general rule applicable to companies and organisations as well as public entities is: All companies and other organisations that process personal data should pay an annual data protection fee, unless exempt.
The fee applies no matter how big or small your business is.
If your company is exempt from the obligation to register with the Information Commissioner’s Office (ICO), it is still required to comply with data protection laws, including maintaining documentation.
The ICO is an independent body in the UK responsible for enforcing data protection laws.
If you fail to register and pay the annual Data Protection Licence fee, you may be subject to a fine ranging from £400 to £4000.
Who has to pay the Data Protection Licence?
The activities listed below may require the processing of personal data and may be subject to data protection regulations:
- Accounting and financial audits
- Financial services and advice
- Mortgage/insurance brokering
- Credit referencing
- Processing personal data obtained from credit reference agencies
- Consultancy and advisory services
- Legal services
- Insolvency practices
- Insurance services
- Debt administration
- Pension administration
- Membership administration
- Property management, including the sale and/or rental of properties
- Charitable organisations, including housing association
- Education, including schools
- Advertising, marketing, and public relations for third parties
- Journalism, media, and TV/radio
- Software development, including hosting and website design or IT support
- Social research, including social media platforms or dating agencies
- Database trading and sharing personal data
- Loyalty cards
- Private detective services
- Crime prevention and prosecution, including CCTV systems
- Emergency services, including ambulance and fire services
- Healthcare administration and patient care, including pharmacists, optometrists, and dentists
Does the obligation to pay Data Protection Licence also apply to every company/organisation that uses CCTV for crime prevention purposes?
This does not include home monitoring. However, owners of such systems still have obligations, which you can read about in our article: Obligations of CCTV holders in the UK
How much does a Data Protection License cost?
There are three different fee levels, depending on the size of your company and therefore the risk of processing personal data breaches.
Level 1 – Micro organisations
Your maximum turnover in the financial year is £632,000 GBP or you employ no more than 10 employees.
The fee for level 1 is £40 per year.
Level 2 – Small and Medium organisations
For companies whose maximum turnover in the financial year is £36 million or you employ no more than 250 employees.
The fee for level 2 is £60 per year.
Level 3 – Large organisations
If you do not meet the criteria for Level 1 or Level 2, you must pay the Level 3 fee of £2,900 per year.
To check whether the company you cooperate with has a
DATA PROTECTION LICENCE
The registration process with the ICO
The registration process itself should take no more than 15 minutes. However, you should first make sure that it is actually your responsibility.
To do this, take the self-assessment test on the ICO website. By answering a few questions, the system will tell you whether registration is mandatory in your case or not.
If you are not subject to mandatory registration, you can still register and pay for the Data Protection Licence voluntarily, for example, if you want to show your customers that you take the protection of their data seriously.
What will happen after registration in the ICO?
After registering with the ICO, you will receive your Data Protection Licence number via email a few days later, and you will be reminded to renew your annual payment after a year.
The register of entities holding a Data Protection Licence is public.
This means that you can easily check whether an entity – for example, your childminder or tutor, real estate agency or other entity – actually has the required registration by entering its name, address or ICO number – if you know it.
If the company you are checking is engaged in any of the activities listed in this article but is not registered with the ICO, be cautious.
It is certainly not operating legally – at least when it comes to data protection.