Run a compliant insurance or pension business

Protect personal data and pay the ICO fee

Insurance and pensions run on personal data — policyholder records, health and claims information, member benefits data. Much of it is special category data needing extra safeguards. You must handle it under the UK GDPR and the Data Protection Act 2018, and unless exempt you must register with the Information Commissioner's Office and pay the annual data protection fee. This applies UK-wide.

Data protection fee: ICO registration

Legal requirement to pay data protection fee to ICO under Data Protection Act 2018.

Under the Data Protection (Charges and Information) Regulations 2018, most organizations that process personal data must pay an annual data protection fee to the Information Commissioner's Office (ICO).

Who must pay

Must pay if your business:

Processes personal information about individuals (customers, employees, suppliers)
Is not covered by a limited exemption

Personal data includes: Names, addresses, email addresses, phone numbers, IP addresses, employee records, customer orders, marketing lists.

Tier 1 fee (most small businesses): £52 per year - Turnover up to £632,000 AND 10 or fewer staff (from Feb 2025)
Tier 2 fee: £78 per year - Turnover up to £36 million AND 250 or fewer staff (from Feb 2025)
Tier 3 fee (large organizations): £3,763 per year - Turnover over £36 million OR over 250 staff (from Feb 2025)
Penalty for non-payment: Up to £4,350 plus the fee owed

When to register

Before you start processing personal data - this means from day one for most businesses. You process personal data if you:

Keep customer records (names, email addresses, order history)
Have employees (employment records, payroll, contact details)
Use suppliers (contact information)
Send marketing emails
Use cookies on your website
Store business contacts in a CRM

Exemptions

Very limited exemptions exist. You're exempt only if you:

Only process personal data for personal or household purposes (not business)
Only process data for accounts, records, and admin required by law (very narrow - consult ICO guidance)
Are an MP, elected representative, or judge (specific exemptions)

Most businesses are NOT exempt - if you have any customer or employee data, you likely need to pay.

Registration process

Self-assess your tier using ICO's online tool
Register online at ico.org.uk
Pay annual fee by Direct Debit or card
Receive registration confirmation - Your registration appears on ICO's public register
Renew annually - ICO will remind you when renewal is due

Renewal: Annual - ICO sends renewal reminder before expiry
Public register: Your registration is publicly searchable on ICO website
Direct Debit discount: £5 discount if paying by Direct Debit

Pay the data protection fee

Insure your employees

If you employ anyone — underwriters, claims handlers, call-centre or administrative staff — you must hold employers' liability insurance of at least £5 million from an authorised insurer. This is a duty in Great Britain; equivalent rules apply in Northern Ireland.

Employers' Liability Insurance Requirements

Legally required insurance for businesses that employ staff

Legal requirement: LEGALLY REQUIRED if you employ anyone (even part-time or family members working for you)
Minimum cover: £5 million minimum (most policies provide £10 million)
Penalty for non-compliance: £2,500 fine per day without insurance, plus £1,000 fine for not displaying certificate
What it covers: Compensation claims from employees injured or made ill at work
Exemption: Close family businesses may be exempt

Employers' Liability Insurance

Keep your workplace safe

You owe a general duty to protect employees and others affected by the business — offices, call centres and public-facing operations. The Health and Safety at Work etc. Act 1974 applies in Great Britain; Northern Ireland has its own corresponding health and safety order.

Health and Safety at Work etc. Act 1974 (HASAWA)

The Health and Safety at Work etc. Act 1974 - primary UK workplace health and safety legislation establishing employer and employee duties. Pure data reference.

The Health and Safety at Work etc. Act 1974 (HASAWA 1974) is the primary legislation governing workplace health and safety in the United Kingdom. It establishes the legal framework for protecting the health, safety and welfare of people at work and those affected by work activities.

Legal status: Primary legislation - principal UK health and safety statute
Royal Assent: 31 July 1974
Came into force: 1 April 1975 (in stages)
Geographic scope: Great Britain (separate legislation applies in Northern Ireland)
Applies to: All employers, employees, self-employed persons, and those who control work premises
Primary duty (Section 2): Employers must ensure, so far as is reasonably practicable, the health, safety and welfare at work of all employees
Duty to non-employees (Section 3): Employers must protect persons not in their employment (contractors, visitors, public) who may be affected by work activities
Employee duties (Sections 7-8): Employees must take reasonable care for their own health and safety and that of others, cooperate with employers, and not misuse safety equipment
Enforcement authority: Health and Safety Executive (HSE) and local authorities
Maximum penalties (post-2008 amendments): Unlimited fines in Crown Court; imprisonment up to 2 years for individuals; up to 6 months and/or £20,000 fine in Magistrates' Court
Referenced by regulators: Cited in 31 regulatory documents in the ORDS (Office for Regulatory Delivery and Simplification) dataset
Secondary regulations: Enables creation of health and safety regulations (e.g. Management of Health and Safety at Work Regulations 1999, COSHH, Manual Handling)

Reasonably practicable: The Act uses the term "so far as is reasonably practicable" throughout. This means employers must balance the level of risk against the time, trouble and cost of controlling it. However, the law is weighted in favour of health and safety - employers must demonstrate that control measures would be grossly disproportionate to the risk before they can be considered not reasonably practicable.

Self-employed persons: The Act also places duties on self-employed persons to protect their own health and safety and that of others who may be affected by their work activities.

Health and Safety at Work etc. Act 1974 (legislation.gov.uk)

HSE - Health and Safety at Work etc. Act 1974 guidance

Keep your premises fire-safe

The responsible person for non-domestic premises must carry out and maintain a fire risk assessment. This is devolved: the Regulatory Reform (Fire Safety) Order 2005 covers England and Wales, with the Fire (Scotland) Act 2005 in Scotland and the Fire and Rescue Services (Northern Ireland) Order 2006 in Northern Ireland.

Regulatory Reform (Fire Safety) Order 2005

The 'responsible person' (employer, owner or occupier) must carry out a fire risk assessment for any non-domestic premises and implement appropriate fire safety measures. This applies to all hospitality premises including hotels, restaurants, pubs and nightclubs.

Who is the responsible person?

The responsible person is the employer, owner, landlord, occupier, or anyone with control of the premises. In hospitality, this is typically the business owner or manager.

Fire risk assessment

The responsible person must carry out and regularly review a fire risk assessment covering:

Identification of fire hazards (ignition sources, fuel, oxygen)
Identification of people at risk (employees, customers, vulnerable persons)
Evaluation and reduction of risks
Recording findings and fire safety plan (if 5+ employees)
Regular review and updates

Fire safety measures

Based on the risk assessment, implement appropriate measures including:

Fire detection and warning systems (smoke alarms, fire alarm panels)
Fire-fighting equipment (extinguishers, fire blankets)
Emergency escape routes and lighting
Fire safety signs and notices
Fire doors kept clear and free to close
Staff training on fire procedures
Emergency evacuation plan and drills

Fire Safety Act 2021 (from January 2022)

For buildings containing two or more sets of domestic premises (e.g. hotels, aparthotels), the responsible person must now assess fire risks in external walls, entrance doors to flats, and windows.

Step 1: Appoint a competent person to conduct fire risk assessment (may be yourself if trained)
Step 2: Complete fire risk assessment identifying hazards and persons at risk
Step 3: Implement control measures to reduce fire risk
Step 4: Ensure fire detection systems are installed and maintained
Step 5: Provide adequate fire-fighting equipment (extinguishers) and arrange annual servicing
Step 6: Establish clear evacuation routes with emergency lighting and signage
Step 7: Designate assembly point and ensure staff know evacuation procedures
Step 8: Train all staff on fire safety procedures during induction
Step 9: Conduct regular fire drills (at least annually)
Step 10: Record fire risk assessment findings if you employ 5 or more people
Step 11: Review fire risk assessment annually or after significant changes

Fire safety risk assessment guidance

Do not discriminate

You must not discriminate against employees or in services to the public because of a protected characteristic — and for insurers that includes the Equality Act's specific rules on using risk factors in financial services. The Equality Act 2010 applies in England, Scotland and Wales; Northern Ireland has its own equality law enforced by the Equality Commission for Northern Ireland.

Next steps

With the shared duties in place, follow the guides for your regulated activity:

Insurer authorisation and prudential rules — Part 4A permission, Solvency UK, operational resilience
Insurer conduct and accountability rules — SM&CR, Consumer Duty, promotions, complaints, pricing, FSCS
Run an occupational pension scheme — TPR registration, funding, trustees, dashboards

Then confirm everything with the insurance and pension compliance checklist.

Run a compliant insurance or pension business

Run a compliant information service business

Run a compliant membership organisation

Set up and run a safe mineral products factory

Security and investigation compliance checklist

Set up and run a safe management consultancy

Protect personal data and pay the ICO fee

Insure your employees

Keep your workplace safe

Keep your premises fire-safe

Do not discriminate

Next steps

Related guides in Health & Safety

Protect personal data and pay the ICO fee

Insure your employees

Keep your workplace safe

Keep your premises fire-safe

Do not discriminate

Next steps