Guide

Register with the ICO and pay the data protection fee

How to register with the Information Commissioner's Office and pay the annual data protection fee. Covers who must register, the three-tier fee structure, the online registration process, and annual renewal obligations.

Retail & Consumer GoodsProfessional & Financial ServicesTechnology & Digital UK-wide

Who must register

If your business processes personal data, you are legally required to register with the Information Commissioner's Office (ICO) and pay an annual data protection fee. This obligation comes from the Data Protection (Charges and Information) Regulations 2018.

Personal data includes customer names, email addresses, employee records, supplier contacts, CCTV footage, website analytics, and marketing lists. If you hold any information about identifiable living people for business purposes, you are processing personal data.

You must register if your business:

  • Keeps customer or client contact details
  • Has employees or workers (including payroll and HR records)
  • Uses CCTV, dashcams, or smart doorbells for business purposes
  • Maintains marketing or mailing lists
  • Uses website analytics or cookies that identify visitors
  • Processes supplier or contractor information

In practice, almost every business needs to register. If you run a business and keep any records about people, you should register.

Limited exemptions

You may be exempt from paying the fee only if you:

  • Only process personal data for personal, family, or household purposes (not for any business activity)
  • Are an elected representative processing data solely for that role
  • Have no automated processing at all (no computers, databases, or CCTV) - extremely rare in practice
  • Only process data for judicial functions

These exemptions are interpreted very narrowly. If in doubt, register. The penalty for not registering far exceeds the annual fee.

Check if you need to register - ICO self-assessment tool

Understand the fee tiers

The data protection fee uses a three-tier structure based on your staff numbers and annual turnover. You pay the tier that matches your highest category.

How to work out your tier

Staff count:

  • Include employees, workers, office holders, and partners
  • Use your average headcount across the financial year
  • Part-time workers count as one person each (not pro-rated)
  • Agency workers generally count towards the agency, not your organisation

Turnover:

  • Use your total annual turnover (gross income from all activities)
  • For new businesses, use your expected first-year turnover
  • Each legal entity in a group registers and pays separately

Charities: All registered charities pay Tier 1 (£52) regardless of size or turnover.

How to register

Registration is done online through the ICO website. The process takes approximately 10 to 15 minutes.

Information you will need

Before starting, gather:

  • Business details: legal name, trading name(s), registered address
  • Company registration number (if a limited company)
  • Contact details: name of person responsible for data protection, email, phone
  • Description of processing: what personal data you hold and why
  • Staff numbers and turnover for tier calculation
  • Payment details: debit or credit card, or bank details for Direct Debit

  1. 1. Use the ICO self-assessment tool

    Visit the ICO website to confirm whether you need to register and which fee tier applies. The tool asks straightforward questions about your business and processing activities.

  2. 2. Go to the ICO registration portal

    Start your registration at ico.org.uk/for-organisations/data-protection-fee/register/. You can complete the entire process online.

  3. 3. Enter your business details

    Provide your legal name, trading name, registered address, company number (if applicable), and the name and contact details of your data protection contact.

  4. 4. Describe your processing activities

    The form asks you to describe the types of personal data you hold and the purposes for which you process it. Select from the categories provided.

  5. 5. Confirm your fee tier

    Based on your staff numbers and turnover, the system will suggest your tier. Confirm this is correct before proceeding to payment.

  6. 6. Pay by Direct Debit for the £5 discount

    Set up a Direct Debit to save £5 on your annual fee and ensure automatic renewal without gaps in registration. You can also pay by debit or credit card.

  7. 7. Save your registration number

    You will receive a registration number immediately. Keep this safe. You may need it for contracts, due diligence checks, or when responding to data protection queries.

Register and pay the data protection fee

After registration

Once registered, your details appear on the ICO's public register within a few working days. Anyone can search the register to verify your registration, which is often checked during due diligence by larger clients and during contract negotiations.

Annual renewal

Your registration lasts 12 months. The ICO sends a renewal reminder before your expiry date.

If you pay by Direct Debit

Renewal is automatic. The ICO collects payment and issues a new registration certificate without any action from you.

If you pay by card

You must renew manually each year:

  • The ICO sends email and postal reminders before expiry
  • Log in to your ICO account to pay
  • Complete payment before your registration expires

Updating your details

You must keep your registration details current. Notify the ICO if any of the following change:

  • Business name or trading names
  • Registered address
  • Contact person for data protection
  • Nature of processing activities
  • Staff numbers or turnover that affect your tier

Log in to your ICO account to make updates at any time.

What happens if you do not pay

Failure to register is a criminal offence. The ICO actively enforces registration requirements.

If you fail to pay the data protection fee when required:

  • Penalty notice: up to £4,350 (150% of the highest tier fee)
  • Outstanding fee: you must still pay the fee owed on top of the penalty
  • Criminal offence: processing personal data without valid registration

If the ICO identifies that you should be registered, they issue a notice giving you 28 days to pay or make representations. Do not ignore this notice.

Do not let your registration lapse. Operating without valid registration is an offence even if you were previously registered.

Next steps after registration

ICO registration is one part of your data protection obligations. After registering, you should:

  • Create a privacy notice explaining how you use personal data
  • Identify lawful bases for each type of data processing
  • Implement security measures to protect personal data
  • Set up procedures to handle data subject access requests
  • Plan for breach response with a 72-hour notification process

Data protection for businesses

How to comply with UK GDPR and the Data Protection Act 2018. Covers ICO registration, lawful bases for processing, data subject rights, breach notification requirements, and penalties for non-compliance.

Read guide

Data protection annual compliance checklist

Annual checklist for verifying your data protection compliance. Covers ICO fee renewal, privacy notices, records of processing, breach procedures, staff training, DPIAs, retention schedules, and international transfers.

Read guide

Cryptoasset Business Regulation

Regulatory requirements for cryptoasset businesses in the UK - how token classification determines whether you need full FCA authorisation or Money Laundering Regulations registration only.

Read guide

Approvals and registrations you need before trading

Understanding the approvals, registrations, and licences your business needs before you can legally start trading. Covers universal registrations, activity-triggered licences, professional body requirements, and how to identify what applies to you.

Read guide