The British Information Commissioner’s Office has begun formal enforcement action against 34 organisations that have failed to pay the new data protection fee.

The data protection regulator has sent notices of its intent to fine the organisations unless they pay. Firms that do not face maximum fines of £4,350 apiece.

All organisations that process personal data must pay a fee to the ICO unless they are exempt. The money is used to fund the ICO’s data protection work, its new advice line, more online resources and the work that it has done to come up with new rules.

The notices serve as final demands. If the 34 organisations do not pay the ICO will fine them between £400 to £4,000 apiece, depending on their size and turnover. Aggravating factors may lead to an increase of up to £4,350.

The data protection fee is set by Government and is to be found in the Data Protection (Charges and Information) Regulations 2018. It replaces the need for firms to notify or register with the ICO.

The news comes after the ICO hit Equifax last month with a fine of £500,000 - the maximum possible under the old law of 1998, which gave way to the new one this year. The fine concerns a cyber attack which took place between 13 May and 30 July at Equifax Inc in the US, affecting 15 million unique records of individuals in the UK. Equifax Ltd, which is Equifax Inc's parent, paid the fine because it had failed to take appropriate technical and organisational measures against the unauthorised and unlawful processing of that data. The commission also decided that some of the British data had been retained at Equifax Inc for longer than was necessary for the purpose for which Equifax Ltd transferred it there. In total the personal data of some 146 million people in the US was compromised also, and some in Canada.

The first, second, fifth, seventh and eighth data protection principles were broken. These say that firms should process personal data fairly and lawfully; that they should obtain it only for specified purposes and not process it further in any manner not compatible with those purposes; that they ought not to keep it for longer than is necessary for those purposes; that they should take steps against the unauthorised or unlawful processing of it and against its accidental loss or destruction; and that they ought not to transfer it outside the European Economic Area unless the coutry in question "ensures an adequate level of protection for the rights and freedoms of data subjects in relation to the processing of personal data."