We have been contacted by a number of clients who have stated they received letters from the ‘ICO’ requesting a fee and they have asked us for advice.
With so many scammers out there, it is understandable that many are reluctant to pay without fully understanding why and if it is a legitimate request.
We’ve put this article together to try and explain some key points and what you should do about it.
Here’s what’s covered in this article:
- Who Are ICO?
- The General Data Protection Regulation (GDPR)
- What Does The ICO Do?
- Why Have I Received An ICO Letter?
- I know Other Business Owners Who Haven’t Been Contacted, Why me?
- Why ICO Is Important To Everyone, Including You
- Do I Need To Register With the ICO?
- Do I Need To Pay ICO A Fee?
- How Do I Find Out If I Am Exempt?
- Why Do I Need to Pay ICO A Fee?
- How Much are the ICO Data Protection Fees?
- Is The ICO Data Protection Fee A One Off Cost?
- Why You Should Take Action
- Your Privacy Policy
- How To Protect Yourself From Scams
Who are ICO?
ICO or the Information Commissioner’s Office are the UK’s independent data protection regulator. The authority was set up to uphold information rights in the public interest, promoting openness by public bodies and data privacy for individuals.
The General Data Protection Regulation (GDPR)
The General Data Protection Regulation is a European-wide law that replaces the Data Protection Act 1998 in the UK. It places greater obligations on how organisations handle personal data. It came into effect on 25 May 2018.
What does the ICO do?
The ICO helps ensure that organisations who store any personal data, do so in a responsible manner and comply with UK legislation.
They are therefore the supervisory authority for data protection in the UK. They offer advice and guidance, promote good practice, monitor breach reports, conduct audits and advisory visits, consider complaints, monitor compliance and take enforcement action where appropriate.
Why have I received an ICO letter?
ICO have launched a recent campaign to contact all registered companies in the UK reminding them of their legal responsibility to pay a data protection fee. The move marks the start of an extensive programme to make sure the Data Protection Fee is paid by all those who need to pay it.
I know other business owners who haven’t been contacted, why me?
There are over 4 million limited companies registered in the UK. By any standards an exercise to write to all of those will be a costly and time-consuming exercise. Rest assured however, all will likely be contacted at some point.
Why ICO is important to everyone, including you
Everything is driven by data, be it online or offline. Almost every transaction and interaction you have with most organisations involves you sharing personal data, such as your name, address and birth date.
Your personal data could be written down or stored online. For example, every time you visit a website, search for or buy something, use social media or send an email.
Sharing data helps make life easier, more convenient and connected. But your personal data belongs to you, so it’s important your data is used only responsibly and in ways you would reasonably expect.
Most importantly, it should be safe, and that it stays safe. Data protection law, regulated by the ICO makes sure everyone’s data is used properly, legally and only for the reasons acceptable to you.
Do I need to register with the ICO?
Under the Data Protection Act 1998, all organisations that process personal information must register with the ICO, who publish the names and addresses of the data controllers.
They also include a description of the type of processing each organisation performs. If your organisation processes personal data, failure to register with the ICO is breaking the law.
Do I need to pay ICO a fee?
Every organisation or sole trader who processes personal information needs to pay a data protection fee to the ICO, unless they are exempt.
How do I find out if I am exempt?
There are few exemptions, the best way to find out is to complete the survey which can be found on the ICO website or the gov.uk website.
https://www.gov.uk/data-protection-register-notify-ico-personal-data
Why do I need to pay ICO a fee?
The fee you pay funds data protection work performed by ICO. If you are fined for any breaches, they do not keep any money, it is passed directly to the Government.
How much are the ICO Data Protection Fees?
The fees are £40 to £60 for most organisations, including charities and small and medium-sized businesses. You can find out how much you’ll need to pay using the link below.
https://ico.org.uk/for-organisations/how-much-will-i-need-to-pay/
Is ehe ICO Data Protection Fee a one-off cost?
Unfortunately not, this is an annual fee. If you sign up by direct debit, you can save £5 on the fee.
What if I don’t pay the ICO Data Protection Fee
Failing to register with the ICO and pay the fee is a criminal offence. You could risk being convicted and issued with a fine of up to £4,350.
Why you should take action
Firstly, you have to take action otherwise you could be breaking the law.
It’s a strong message for your prospects and customers. It shows you are a reputable business because you value and care about their personal information. You are likely to keep it secure and not share it inappropriately.
It also lets other organisations know that you run a tight ship and that you’re aware of your data protection obligations. It’s reassurance for those thinking of doing business with you.
When you’ve registered and paid, your business is published on our register of data controllers. Members of the public and other companies can check the before they decide to do business. You can check registered companies here:
https://ico.org.uk/esdwebpages/search
Note: You may not find some companies if they recently registered.
Your privacy policy
Data Protection can be a complex process fully understand but it is important you take steps to do the right thing. Personal data does not belong to you. People have a right to request what personal data you hold about them and request you delete it, unless you are required to keep it by law (e.g. tax purposes).
You have to have a valid reason to hold personal data. Therefore to make things super clear for your customers, make sure you have a privacy policy on your website explaining:
- What you do with personal data.
- Why you use personal data.
- Who you share it with.
- How long you keep it for.
- How to request what personal data you hold about them.
- How to request you delete any personal data.
This is just the basics however, please refer to https://ico.org.uk/for-organisations/guide-to-data-protection/guide-to-the-general-data-protection-regulation-gdpr/ for more information.
How To Protect Yourself From Scams
The ICO is warning companies to be aware of scams relating to payment of the data protection fee. If you’ve received a letter, text message, email or telephone call and want to check that it’s genuine, please search ‘ICO fee’ using your usual search engine. Follow the top results to website links which begin with https://ico.org.uk, and this will bring you their official website.
