GDPR – have you paid your data protection fee?

Have you overheard comments like these?

“We are on top of GDPR, we’ve contacted our customers so we are covered”
“I didn’t think it applied to employee data”
“We don’t keep employee data, we let our accountants handle that”
“Our staff already know what information we hold, we don’t need to tell them do we?”

As an employer you will collect, store, process, share and dispose of personal information about your staff. Your reasons are undoubtedly sound – you need to keep certain information in order to effectively manage the contractual relationship with your work force, to satisfy legal obligations or for another valid or legitimate purpose.

Whatever the reasons, under the new data protection regulations which became effective on 25th May 2018, you must inform your staff of:

• what information you hold
• why you hold it
• how you keep it secure
• who you share it with
• when you dispose of it
• their rights relating to access or objection

From 25th May 2018, the Data Protection (Charges and Information) Regulations 2018 requires organisations or sole traders who process personal data to pay a fee to the Information Commissioner’s Office (ICO), unless they are exempt.

Tier 1 £40 Maximum annual turnover of £632,000 or no more than 10 staff
Tier 2 £60 Maximum annual turnover of £36 million or no more than 250 staff
Tier 3 £2,900 You do not meet the Tier 1 or Tier 2 criteria

You can pay on line via the ICO website ( and there may be a discount if you pay by direct debit.

This article has been compiled by SJHR. Every care has been taken in researching the content of this article, but should not be relied upon as specific legal advice. The author cannot be held responsible for any errors or omissions.