Most UK businesses that employ staff or hold customer data must register with the Information Commissioner's Office (ICO) and pay an annual data protection fee of £40–£60. Failure to register when required is a criminal offence and can result in a fine of up to £4,000. Registration takes about 15 minutes online.
What is ICO registration?
The Information Commissioner's Office (ICO) is the UK's independent data protection regulator. Under the Data Protection (Charges and Information) Regulations 2018, organisations that process personal data must notify the ICO and pay an annual fee — unless they qualify for an exemption.
"Processing personal data" means virtually anything you do with information about identifiable individuals — storing employee records, sending marketing emails, taking CCTV footage, or maintaining a customer database.
Do I need to register?
Almost certainly yes, if you:
- Employ staff — payroll records, right-to-work checks, HR records, and sick leave logs all constitute processing personal data
- Hold customer information — names, email addresses, purchase history, phone numbers
- Use CCTV — footage of identifiable individuals is personal data
- Send marketing emails — email marketing to identifiable recipients requires registration
- Use any cloud HR or CRM software — if the software processes personal data on your behalf, you are the data controller
The ICO's own guidance states: "Most businesses, charities and sole traders are likely to need to pay the data protection fee."
Who is exempt?
Some organisations are exempt from paying the fee (though not from the broader obligations of UK GDPR):
| Exempt category | Notes | |---|---| | Individuals processing data purely for personal, family or household activity | Not businesses | | Organisations that only process data for staff administration (no marketing, no CCTV, no other purposes) | Rare in practice — most businesses do more than this | | Not-for-profit organisations with only exempt processing | Limited scope | | Small occupational pension schemes | Specific exemption |
Important: Even if you are exempt from paying the fee, you are still required to comply with the UK GDPR — including having a privacy notice, responding to subject access requests, and maintaining appropriate security.
Most small businesses that employ staff and hold any customer data will not qualify for exemption. If in doubt, register.
How much does registration cost?
The annual fee depends on your organisation's size and turnover:
| Tier | Criteria | Annual fee | |---|---|---| | Tier 1 | Micro-organisations — turnover ≤ £632,000 OR staff ≤ 10 | £40 | | Tier 2 | Small / medium organisations — turnover ≤ £36m OR staff ≤ 250 | £60 | | Tier 3 | Large organisations — above Tier 2 thresholds | £2,900 |
For most small businesses with fewer than 10 staff, the fee is £40 per year — less than £1 per week.
How to register with the ICO
- Go to ico.org.uk/registration
- Answer the short questionnaire — it takes about 15 minutes
- Pay the annual fee by card or direct debit
- Receive your ICO registration number (starts with Z)
You will receive a renewal reminder each year. The registration must be renewed annually.
What you get from registering
Your ICO registration number appears in the ICO's public register, which is searchable by anyone. Displaying your registration number on your website's privacy policy demonstrates to customers and employees that you take data protection seriously.
For employers, registration is also increasingly relevant to contract work — many larger businesses now ask suppliers to confirm their ICO registration number before entering a contract.
What happens if you don't register?
Failing to register when required is a criminal offence under the Data Protection Act 2018. The ICO can issue a fixed penalty notice of:
- £400 for failure to pay the fee (if you have processed data requiring registration)
- Up to £4,000 for more serious non-compliance
The ICO also has powers to issue civil monetary penalties of up to £17.5 million or 4% of global annual turnover for serious data protection breaches under UK GDPR — though these are reserved for significant incidents, not simple registration failures.
ICO registration and your employees
As an employer, your employees have rights under UK GDPR regardless of your ICO registration status:
- Right to access: employees can request a copy of all personal data you hold about them (Subject Access Request)
- Right to rectification: employees can ask you to correct inaccurate data
- Right to erasure: employees can ask for data deletion (subject to legal retention obligations)
- Right to be informed: your employee privacy notice must explain what data you hold, why, and for how long
A well-maintained HR system makes responding to these requests significantly easier.
Frequently asked questions
I'm a sole trader with no employees — do I need to register? It depends on what data you process. If you hold customer records, send marketing communications, or use CCTV, you almost certainly need to register. If you process data solely for your own personal use, you may be exempt — but sole traders who process any business-related personal data typically need to register.
Do I need a separate registration for each business location? No. One ICO registration covers all your locations if they are part of the same legal entity (e.g. same limited company). If you operate through multiple legal entities, each one needs its own registration.
Is ICO registration the same as GDPR compliance? No. ICO registration is one requirement of UK GDPR, but compliance is much broader — it includes having a lawful basis for all processing, maintaining a privacy notice, securing personal data, and responding to data subject requests.
How do I know my ICO registration number? After registering, you receive a confirmation email with your registration number. You can also look up your organisation on the ICO's public register at ico.org.uk/ESDWebPages/Search.