Data protection annual compliance checklist

Use this checklist each year to confirm your business meets its data protection obligations under UK GDPR and the Data Protection Act 2018. Work through each section and resolve any gaps before moving on.

Registration and fees

ICO data protection fee renewed and paid before the expiry date
ICO registration details up to date (business name, address, nature of processing)
Correct fee tier confirmed based on current turnover and staff numbers

ICO data protection registration fees 2025

Three-tier fee structure for ICO registration under Data Protection (Charges and Information) Regulations 2018.

Under the Data Protection (Charges and Information) Regulations 2018, most organisations that process personal data must pay an annual data protection fee to the Information Commissioner's Office (ICO).

Tier 1 fee (micro organisations): £52 per year
Tier 1 threshold: Annual turnover up to £632,000 AND 10 or fewer staff
Tier 1 Direct Debit: £47 per year (£5 discount)
Tier 2 fee (SMEs): £78 per year
Tier 2 threshold: Annual turnover up to £36 million AND 250 or fewer staff
Tier 2 Direct Debit: £73 per year (£5 discount)
Tier 3 fee (large organisations): £3,763 per year
Tier 3 threshold: Annual turnover over £36 million OR over 250 staff
Tier 3 Direct Debit: £3,758 per year (£5 discount)
Effective from: 18 February 2025

Charities: Pay Tier 1 fee only (£52), regardless of size or turnover
Penalty for non-payment: Up to £4,350 (150% of highest tier fee) plus the fee owed
Payment deadline after notice: 28 days to pay or make representations
Renewal: Annual - ICO sends renewal reminder before expiry

Who must pay

You must register if your business:

Processes personal information about individuals (customers, employees, suppliers)
Uses CCTV (including smart doorbells or dashcams for business purposes)
Maintains marketing lists
Uses cookies on your website

Limited exemptions

Very few organisations are exempt. You may be exempt only if you:

Only process personal data for personal or household purposes (not business)
Are an MP, elected representative, or judge (specific exemptions)
Have no automated processing (no computers, no CCTV) - extremely rare

Most businesses are NOT exempt - if you have customer or employee data, you almost certainly need to pay.

Pay the data protection fee

ICO fee self-assessment tool

Privacy and transparency

Privacy notices reviewed and updated for any changes to processing activities, data recipients, or retention periods
Privacy notices include all mandatory information required by UK GDPR Articles 13 and 14
Cookie consent mechanism compliant with PECR and any Data Use and Access Act 2025 changes (consent-or-pay models, analytical cookie reforms)
Lawful basis documented for each processing purpose
Legitimate interest assessments reviewed for any processing relying on that basis

Privacy notice mandatory content (Articles 13-14)

The mandatory information that must be included in a UK GDPR-compliant privacy notice when collecting personal data.

Under UK GDPR Articles 13 and 14, you must provide certain information to individuals when you collect their personal data. This is typically provided through a privacy notice (also called a privacy policy).

Controller identity and contact details: Your organisation name, address, and contact details (and DPO/SRI if applicable)
Purposes of processing: Why you are collecting and using their personal data
Lawful basis: Which UK GDPR lawful basis applies to each processing purpose
Legitimate interests (if applicable): What the legitimate interests are (yours or a third party's)
Recipients or categories of recipients: Who you share the data with (named organisations or categories)
International transfers: Whether you transfer data outside the UK and what safeguards apply
Retention period: How long you keep the data (or the criteria used to determine the period)
Individual rights: The data subject rights that apply (access, rectification, erasure, etc.)
Right to complain: The right to lodge a complaint with the ICO
Automated decision-making: Whether you use automated decision-making (including profiling) and if so, meaningful information about the logic, significance, and consequences

Additional requirements for Article 14 (data not collected directly)

Categories of personal data obtained
Source of the personal data
Information must be provided within a reasonable period (no longer than one month)

How to provide the notice

Use clear, plain language
Consider a layered approach (short summary + full notice)
Must be easily accessible
Update when processing activities change
Provide at the time data is collected (Article 13) or within one month (Article 14)

ICO guide to the right to be informed

Individual rights and requests

Subject access request (SAR) response process documented and tested within the last 12 months
Staff trained on recognising and handling all eight data subject rights requests
Response within one calendar month confirmed as standard procedure (with documented escalation for complex requests)
Identity verification process in place for rights requests
Third-party recipients notified of any rectifications, erasures, or restrictions during the year

UK GDPR individual rights summary (8 rights)

The 8 individual rights under UK GDPR that data subjects can exercise against data controllers.

Under UK GDPR, individuals have 8 rights regarding their personal data. Organisations must facilitate these rights and respond to requests within one calendar month.

1. Right to be informed (Articles 13-14): Right to know how their data is collected and used, via a privacy notice
2. Right of access (Article 15): Right to obtain a copy of their personal data (subject access request). Response deadline is one calendar month
3. Right to rectification (Article 16): Right to have inaccurate personal data corrected or incomplete data completed. Response within one month
4. Right to erasure (Article 17): Right to have personal data deleted in certain circumstances (also known as the right to be forgotten). Not absolute
5. Right to restrict processing (Article 18): Right to request that processing is limited in certain circumstances while a dispute is resolved
6. Right to data portability (Article 20): Right to receive their personal data in a structured, commonly used, machine-readable format and transmit it to another controller
7. Right to object (Article 21): Right to object to processing based on legitimate interests, direct marketing (absolute right), or research/statistics
8. Rights related to automated decision-making (Article 22): Right not to be subject to solely automated decisions with legal or similarly significant effects (modified by DUAA 2025 from 5 February 2026)

Key response requirements

Deadline: One calendar month from receipt of request
Extension: Up to two further months for complex or numerous requests (must inform individual within first month)
Fee: Generally free. Can charge a reasonable fee if request is manifestly unfounded or excessive
Refusal: Can refuse manifestly unfounded or excessive requests but must explain why within one month
Identity verification: Can request proof of identity before responding

ICO guide to individual rights

Security and breach management

Data breach response plan in place and tested (desktop exercise or drill) within the last 12 months
Staff trained on identifying and escalating potential breaches
72-hour ICO notification process documented and assigned to a named individual
Internal breach register maintained and reviewed for patterns or repeat incidents
Technical security measures reviewed (encryption, access controls, backups, patch management)
Passwords and access credentials rotated or reviewed in line with your security policy

UK GDPR data breach notification requirements

72-hour breach notification requirement under UK GDPR Article 33. Pure data reference.

UK GDPR requires data controllers to report certain personal data breaches to the ICO and, in some cases, to the individuals affected.

ICO notification deadline: Within 72 hours of becoming aware of the breach
Clock starts when: You have 'reasonable certainty' a breach has occurred, not when you know full details
When notification required: If the breach is likely to result in a risk to people's rights and freedoms
When notification NOT required: If breach is unlikely to result in any risk to individuals - but must still record internally
Individual notification: Required without undue delay if risk to individuals is HIGH
Legislation: UK GDPR Articles 33 and 34

Required notification content (Article 33(3))

Nature of the breach (what happened)
Categories and approximate numbers of individuals affected
Categories and approximate numbers of records affected
Name and contact details of your DPO or other contact point
Likely consequences of the breach
Measures taken or proposed to address the breach and mitigate harm

Phased reporting: If full information unavailable within 72 hours, report what you know and provide details later 'without undue further delay'
Internal record-keeping: ALL breaches must be documented (whether notified to ICO or not) for audit purposes
Penalty for notification failure: Up to £8.7 million or 2% of global annual turnover (whichever is higher)

Report a breach to the ICO

Governance and accountability

Records of processing activities (ROPA) updated to reflect any new or changed processing
Data Protection Officer or Senior Responsible Individual appointed and contact details published (if required)
Data Protection Impact Assessments (DPIAs) reviewed for all high-risk processing activities
New DPIAs completed for any processing introduced during the year that meets mandatory triggers
Staff data protection training completed and recorded for all employees handling personal data
Data protection policies reviewed and version-controlled

When a DPIA is required (mandatory triggers)

The circumstances under UK GDPR Article 35 that require a Data Protection Impact Assessment before processing begins.

Under UK GDPR Article 35, you must carry out a Data Protection Impact Assessment (DPIA) before any processing that is likely to result in a high risk to individuals' rights and freedoms.

Mandatory trigger 1: Systematic and extensive profiling: Automated processing including profiling that produces legal effects or similarly significant effects on individuals
Mandatory trigger 2: Large-scale special category data: Large-scale processing of special category data (health, race, religion, sexual orientation, biometrics, etc.) or criminal offence data
Mandatory trigger 3: Large-scale public monitoring: Systematic monitoring of a publicly accessible area on a large scale (e.g. large-scale CCTV)
Mandatory trigger 4: Innovative technology: Use of new technologies where the impact on individuals is not yet fully understood
Mandatory trigger 5: ICO published list: Any processing that appears on the ICO's published list of processing operations requiring a DPIA

ICO’s additional criteria (two or more may trigger a DPIA)

Evaluation or scoring (including profiling and predicting)
Automated decision-making with legal or significant effect
Systematic monitoring
Sensitive data or data of a highly personal nature
Data processed on a large scale
Matching or combining datasets
Data concerning vulnerable individuals (children, employees, patients)
Innovative use or applying new technological or organisational solutions
Processing that prevents individuals from exercising a right or using a service or contract

If your processing meets two or more of these criteria, you are very likely to need a DPIA.

ICO consultation: Must consult the ICO before processing if the DPIA identifies a high risk that you cannot mitigate
Penalty for not conducting a required DPIA: Up to £8.7 million or 2% of annual worldwide turnover
Legislation: UK GDPR Article 35

ICO DPIA guidance

Data management

Retention schedule applied and data deleted or anonymised on schedule
International transfer mechanisms reviewed and still valid (adequacy decisions, standard contractual clauses, or binding corporate rules)
Processor contracts include all required UK GDPR Article 28 clauses
Processor compliance verified (security measures, sub-processor controls, breach notification obligations)
Data minimisation reviewed: no unnecessary personal data still being collected or held

If you identified gaps in any section, address them promptly. The ICO can issue enforcement notices, reprimands, and fines of up to GBP 17.5 million or 4% of annual worldwide turnover for serious infringements. If you are uncertain about a compliance gap, seek specialist data protection advice before your next ICO fee renewal date.

Related guidance

Data protection for businesses for full UK GDPR compliance guidance
Register with the ICO and pay data protection fee for registration details
Respond to data subject access requests (DSARs) for handling rights requests
Responding to data breaches: legal requirements for breach notification procedures
International data transfers: UK GDPR requirements for transfer mechanisms

ICO accountability framework self-assessment

Official guidance and legislation

ICO: Accountability and governance
ICO self-assessment toolkit for data protection accountability.
ico.org.uk
ICO: Data protection fee
Fee tiers, self-assessment tool, and payment.
ico.org.uk
ICO: Report a personal data breach
Online breach reporting tool and guidance.
ico.org.uk
ICO: Guide to data protection impact assessments
When and how to conduct a DPIA.
ico.org.uk
UK General Data Protection Regulation (legislation.gov.uk)
Full text of UK GDPR.
legislation
Data Protection Act 2018 (legislation.gov.uk)
UK domestic data protection legislation.
legislation
Data Use and Access Act 2025 (legislation.gov.uk)
Reforms to UK data protection framework including cookie consent and automated decision-making.
legislation

Business Context Testing

Content Graph

Guvnor

Data protection annual compliance checklist

Registration and fees

Privacy and transparency

Individual rights and requests

Security and breach management

Governance and accountability

Data management

Related guidance

Compliance Assistant

🧪 Business Context Testing

◉ Content Graph

Registration and fees

Privacy and transparency

Individual rights and requests

Security and breach management

Governance and accountability

Data management

Related guidance

Related guides in Compliance & Legal

Business Context Testing

Content Graph