The ICO is primarily funded by organisations paying the data protection fee, which covers over 85% of the ICO’s annual expenditure. This is supplemented by grant-in-aid from the government to fund the ICO’s regulation of various other laws.
Data protection fees
Under the Data Protection Act 2018, organisations processing personal data must pay a data protection fee, unless they are exempt. Personal data includes information like people’s names, addresses or telephone numbers.
Find out more about the data protection fee and whether it applies to you or your organisation.
From 1 April 2022 to 31 March 2023, the ICO collected roughly £66 million through the data protection fee. In 2021/2, the ICO collected £62 million in fee income.
The ICO maintains a register of everyone who pays the data protection fee.
Grant-in-aid
The ICO’s regulation of other legislation is funded by grant-in-aid. The ICO received £10,298,000 total grant-in-aid from April 2022 to March 2023, compared to £7,578,000 in 2021/22. This is to fund the ICO’s work on the following legislation:
- Freedom of Information Act (FOIA)
- Network and Information Systems Regulations (NIS)
- Electronic Identification and Trust Services (eIDAS)
- Investigatory Powers Act (IPA)
Fine income
The ICO is also able to retain specified amounts of the funds paid in response to the Civil Monetary Penalties (CMPs) we issue under data protection law and the privacy and electronic communications regulations. Each year, the income from these fines is passed to the Government’s Consolidated Fund. However, from 1 April 2022, the HM Treasury has allowed the ICO to retain funds to cover pre-agreed, specific and externally audited enforcement and litigation costs.
There is a cap on the amount of costs that be recovered in any one financial year (£7.5m) and the approach we take is audited by the National Audit Office. We also report on the level of fines and our associated costs in our Annual Report and to HMT on an annual basis.