ICO demand – is it a scam?

by Readers Question

9:52 AM, 10th December 2019
About 4 months ago

ICO demand – is it a scam?

Make Text Bigger
ICO demand – is it a scam?

Our Ltd company has just received a demand from ICO (Information Commissioner’s Office) claiming that we are not registered with them. That is true…. I have never heard of or from them before.

They say our customers, clients and tenants expect us to take our data protection obligations seriously like the many real estate companies that have paid their fee on time. If we have not paid a data protection fee to ICO we could be liable to pay fines of up to £4000.

In former times we did take personal details from our, mainly student, tenants….names, addresses ,telephone numbers, college details etc. Nowadays however we use agents and although, if we wanted, we could have copies of all tenancy agreements we normally leave all that with the agents.

As we do not hold these details I think the rules (if there are such rules) do not apply to us directly, but might apply to our agents. But something about this demand smells of a scam.

How come we have never heard of this before? Has anybody else received a similar demand?


Editors Note:

ICO blog 03/12/2019 >> Click here

We have launched a campaign to contact all registered companies in the UK reminding them of their legal responsibility to pay a data protection fee. The move marks the start of an extensive programme to make sure the Data Protection Fee is paid by all those who need to pay it.

Under the Data Protection Act 2018 organisations processing personal information are required to pay a data protection fee unless they are exempt. You can quickly and easily find out if your organisation needs to pay the fee by using our self-assessment checker, but if you hold personal information for business purposes on any electronic device, including using CCTV for crime prevention purposes, it is likely an annual fee payment is due.

You can avoid us needing to contact you by either:

  1. Visiting our website to pay your organisation’s Data Protection Fee online
  2. Completing this form to tell us why your organisation is exempt from paying the fee.

Since the new annual data protection fee was introduced in May 2018, over 600,000 organisations have registered to pay it. They have gone on to access the range of services and support we provide to help them to comply with the law and give their customers, clients and suppliers trust and confidence in the way they process personal information. At the same time, between 1 July and 30 September 2019, we issued 340 monetary penalties to organisations that have not paid the Data Protection Fee.

As well as naming most organisations we need to fine, we also publish the names of all fee-paying organisations. This helps them make it clear to their customers, clients and suppliers that they are aware of their legal obligations when processing personal information.

We know data protection legislation can be complicated and we are here to help. The reminders we are sending to organisations are to help make it easy to comply with the law as well as access a great deal of advice and support available from the ICO. This includes:

  • a Helpline and Live Chat service dedicated to supporting small businesses and organisations;
  • a series of self-assessment tools and products on our website;
  • advisory visits and support designed to help small businesses and organisations to comply with the law.

The cost of the data protection fee depends on a company’s size and turnover. There are three tiers of fee ranging from £40 and £2,900, but for most organisations it will be £40 or £60. The cost is reduced by £5 if you sign up by direct debit and you can find out how much you need to pay by taking a self-assessment.

For further help and advice, call the ICO’s small business helpline on 0303 123 1113 between 9am – 5pm, Monday to Friday (excluding Bank Holidays).


Luke P

11:10 AM, 17th December 2019
About 4 months ago

Reply to the comment left by David Atkins at 17/12/2019 - 11:04
It seems so.

There's obviously, evidenced by this thread and my own situation, been a 'ramping-up' of their enforcement. They're annoyed that just 600,000-odd businesses have registered when it should be almost all businesses. My cynical side wonders if this exists to help plug the gap by the potential looming TV Licence fee abolition, because their tactics appear to be similar and neither organisation has a .gov.uk domain...


11:16 AM, 17th December 2019
About 4 months ago

Reply to the comment left by Luke P at 17/12/2019 - 10:32
The data protection act existed a long time before GDPR.

You say "...not any longer." What was your limited company doing with personal data before GDPR?

Luke P

11:46 AM, 17th December 2019
About 4 months ago

Reply to the comment left by JJ at 17/12/2019 - 11:16Not a lot. I just registered because it was cheap enough to do so and be compliant (even if unnecessarily so). The company only now exists as the owner of the investment properties. All data is now handled by the agent and I no longer keep (digital) records of any kind.

Laura Delow

12:37 PM, 17th December 2019
About 4 months ago

Definition of a Controller is; do you meet one or more of the following 1-12 definitions? Even if an agent does the processing for you, it is for the landlord's benefit on which a decision is made whether to rent to the applicant (data subject) and therefore a landlord meets at least 1-3 of the definitions i.e. 2nd, 8th & 12th definition for which a landlord needs to register with the ICO as a Controller:-
1) We decided to collect or process the personal data.
2) We decided what the purpose or outcome of the processing was to be.
3) We decided what personal data should be collected.
4) We decided which individuals to collect personal data about.
5) We obtain a commercial gain or other benefit from the processing, except for any payment for services from another controller.
6) We are processing the personal data as a result of a contract between us and the data subject.
7) The data subjects are our employees.
8) We make decisions about the individuals concerned as part of or as a result of the processing.
9) We exercise professional judgement in the processing of the personal data.
10) We have a direct relationship with the data subjects.
11) We have complete autonomy as to how the personal data is processed.
12) We have appointed the processors to process the personal data on our behalf.


12:50 PM, 17th December 2019
About 4 months ago

Reply to the comment left by Luke P at 17/12/2019 - 11:46
So if that's true I doubt you would need to be registered now. I suggest you look at the exemptions. But there may be something somewhere that says if you de-register and do not let the ICO know that your Company is no longer holding or processing personal data then there is a fine. I wouldn't know about that, I've never de-registered.

Luke P

13:23 PM, 17th December 2019
About 4 months ago

Reply to the comment left by JJ at 17/12/2019 - 12:50
If this is what happens when you *do* register (when I definitely needed to be), and now may or may not need to be, I wish I’d not been so honest in the first place. It just means the next thing that comes along, I will avoid (like the rest of almost all other businesses except the 600,000 or so ‘honest’ ones)!!

Goodness, it’s a mess. I feel like they just want everyone registered and to stop asking questions. It’s cheap enough, right?? Not if I don’t need to be. It’s a headache I simply don’t need.

David Atkins

13:51 PM, 17th December 2019
About 4 months ago

Reply to the comment left by Luke P at 17/12/2019 - 13:23
Its cheap enough....hmmm yes but when you are a property investor, maybe a landlord then add it to section 24, landlord Licencing, Property Ombudsman membership, having to credit check tenants, employment check etc with no fee to applicants, client money protection, deposit protection, eviction costs, having no or very little recourse when tenants cause damage. £35 is just the cherry on top🙈


13:52 PM, 17th December 2019
About 4 months ago

Reply to the comment left by Luke P at 17/12/2019 - 13:23
Have you advised them that your company no longer stores or process personal data and ask them how you de-register?

Simon Lever

10:58 AM, 18th December 2019
About 4 months ago

Reply to the comment left by Luke P at 17/12/2019 - 13:23
So you used to be registered and then decided that you did not need to be.
Have you told them? If not how do you expect them to know that you no longer need to be registered.
Tell them the situation and things will go away. Don't tell them, go to court and you will very probably end up with the fine and possibly costs as well.
As to their powers, I think that you will find that they are extensive and powerful.

Peter G

11:36 AM, 18th December 2019
About 4 months ago

This letter may be the ICO reaction to the discovery that their payment web page had a fault which stopped payments being processes.
I tried 3 times to make the payment online and it failed every time, forcing me to re-enter the entire form all over again each time - very frustrating! I called them to complain and they emailed me a link to use instead, but this also failed. A few days later a similar email to the one people are discussing here arrived in my inbox, saying I was not officially registered as I had not paid the fee.
If there was a website problems then hundreds or thousands of people could have failed to pay like me, so this letter may be the ICO's way of trying to cover up the problem. After all - how did they get our email addresses if we had not registered with them, and why would we register and not pay the £40 fee?

1 3 4 5 8

Leave Comments

Please Log-In OR Become a member to reply to comments or subscribe to new comment notifications.

Forgotten your password?



Call for 80% rental income guarantee for small landlords!

The Landlords Union

Become a Member, it's FREE

Our mission is to facilitate the sharing of best practice amongst UK landlords, tenants and letting agents

Learn More