Information Commissioners Office

The Information Commissioner’s Office (ICO) upholds information rights in the public interest, promoting openness by public bodies and data privacy for individuals. ICO is an executive non-departmental public body, sponsored by the Department for Digital, Culture, Media & Sport.

The Data Protection Register as managed by the Information Commissioners Office (ICO) lists all organisations and individuals who recognise that they handle personal data as defined under the Data Protection Act 2018. There are currently more than 700k registrants listed.

With the UK due to leave the European Union there may be changes to the current regulations. As the changes occur the ICO will announce these via their Data protection and Brexit page.

The ICO is responsible for the maintenance of the Data Protection Register which includes details on the organisations and individuals that handle personal data. All companies and organisations handling or processing personal data need to be registered. This ranges from local dentists to large credit reference agencies.

The Data Protection (Charges and Information) Regulations 2018 requires every organisation that processes personal information to pay a fee to the Information Commissioner’s Office (ICO) unless they are exempt (see below). Failure to do so will result in a fixed penalty.

There are currently three tiers available when registering to the Data Protection Register.

Tier 1 – Micro organisations: These have a maximum turnover of £632,000 in their last financial year or no more than10 members of staff. The fee for tier 1 is £40 per year.

Tier 2 – Small to Medium organisations: These have a maximum turnover of £36 million in their last financial year or no more than 250 members of staff. The fee for tier 2is £60 per year.

Tier 3 – Large organisations: Any organisation not meeting the criteria for tier 1 or tier 2 have to pay the tier 3 fee of £2,900 per year.

The Data Protection Register includes information on:

Registration Number
Organisation name (Inc trading names where relevant)
Start and Expiry date of registration
Payment Tier
Contact details for the Data Controller

Exemptions to the Data Protection register

The 2018 Regulations make certain exceptions for some controllers.

Public authorities should categorise themselves according to staff numbers only. They do not need to take turnover into account.
Charities that are not otherwise subject to an exemption will only be liable to pay the tier 1 fee, regardless of size or turnover.
Small occupational pension schemes that are not otherwise subject to an exemption will only be liable to pay the tier 1 fee, regardless of size or turnover.

Enforcements

Information Commissioners Office (ICO) Enforcement Data provides information on fines and prosecutions undertaken by the ICO. As a regulator, the ICOs role is to uphold information rights in the public interest. These rights are set out in several pieces of legislation including:

With the UK due to leave the European Union some of the above rights and regulations may change. As the changes occur the ICO will announce these via their Data protection and Brexit page.

The ICO is also responsible for the maintenance of the Data Controllers register which includes details on organisations that handle personal data. All companies and organisations handling or processing personal data need to be registered. This ranges from your local dentist to large credit reference agencies.

As part of their regulatory powers, the ICO will ensure companies are aware and are adhering to, the requirements of the above regulations. Part of their role is to take action to ensure organisations meet their information rights obligations. To ensure this the ICO has a range of options including at the lowest end warnings or in extreme cases prosecution via the courts.

Information Commissioners Office