ICO Registration Guide: Who Needs to Register, What It Costs, and How to Do It

Most UK businesses that handle personal data are legally required to register with the Information Commissioner’s Office (ICO) and pay an annual data protection fee. A surprising number don’t, often without realising. Here’s who needs to register, what it costs, and how to do it properly.

If your business holds names, email addresses, phone numbers, employee records, customer lists, supplier contacts, CCTV footage, or pretty much any information that identifies a living person, you almost certainly need to be registered with the ICO. The legal duty applies to organisations of all sizes, from sole traders working from home to large enterprises.

The fee starts at £40 a year. The penalty for not paying it can run into thousands of pounds. The whole registration process takes about ten minutes online. And yet, walking through any UK high street or business park, you can identify dozens of small businesses that are not on the ICO’s register. Some have never heard of the requirement. Others have heard of it but assumed it didn’t apply to them. A few have decided to take the risk.

This guide explains who needs to register, what the fee tiers look like, what happens if you don’t, and how to do it correctly.

---

What is the ICO and why does registration matter?

The Information Commissioner’s Office is the UK’s independent regulator for data protection law. It enforces the UK GDPR and the Data Protection Act 2018, and it maintains a public register of every organisation in the UK that processes personal data and is subject to the data protection fee.

Registering with the ICO does two things at once. It pays the data protection fee, which is what funds the ICO itself, and it puts your business on the public register. Both parts matter. The fee is a statutory obligation; the public register is increasingly used by clients, suppliers and procurement teams as a basic compliance check before they work with you.

If you process personal data and are not registered, you are in breach of the law. The ICO does check, and it does fine.

---

Who needs to register?

The starting point is simple: if you process personal data, you probably need to register. That includes the obvious cases (a marketing list, a customer database, a CRM) and the much less obvious ones (a list of suppliers, employee payroll records, CCTV that captures identifiable people, a website contact form, a delivery note with a customer’s address on it).

The rules apply to:

• Limited companies and partnerships
• Sole traders
• Charities and not-for-profits
• Public authorities
• Self-employed contractors and tradespeople
• Property landlords
• Practices, surgeries and clinics
• Schools and education providers

There are a small number of narrow exemptions, mostly for organisations that only process personal data for genuinely personal, family or household activities, or for organisations that exclusively process payroll, accounts or staff administration with no other data activities at all. The exemptions are tightly drawn. The ICO’s own guidance is that if you are unsure, you should register.

“If you are running a business in the UK, the realistic default position is that you need to be registered with the ICO. The exemptions are narrower than most owners assume.”

---

What does it cost?

The data protection fee has three tiers based on your size, turnover and the nature of your data processing.

Tier 1: micro organisations. Annual turnover up to £632,000, or fewer than 10 staff. Annual fee £40 (or £35 if paid by direct debit). This is where the majority of UK SMEs sit.

Tier 2: small and medium organisations. Annual turnover up to £36 million, or fewer than 250 staff. Annual fee £60 (or £55 by direct debit).

Tier 3: large organisations. Anything above the Tier 2 thresholds. Annual fee £2,900 (or £2,895 by direct debit).

Charities and small occupational pension schemes pay the Tier 1 rate regardless of size. Some public authorities are exempt from the fee but must still register.

For most businesses reading this, you are Tier 1 or Tier 2. The annual cost is genuinely modest. The cost of not registering, by contrast, is not.

---

What happens if you don’t register?

The ICO actively enforces the fee. It cross-references its register against Companies House, HMRC, and other public records to identify businesses that should be registered but aren’t. When it finds one, it sends a warning notice. If the business still doesn’t register, it fines them.

Penalties under the Data Protection (Charges and Information) Regulations 2018 currently range from £400 up to £4,350 depending on the size and nature of the organisation. Fines are issued under a fixed-penalty regime, with a discount for prompt payment, and they are pursued through the courts if unpaid.

Beyond the direct penalty, the practical consequences matter too. The ICO publishes a list of organisations it has fined for non-payment, which is both publicly searchable and indexed by Google. Procurement teams and corporate clients running supplier due diligence routinely check the ICO register, and an unregistered supplier increasingly gets quietly removed from the shortlist.

The cost of registering is £40. The cost of being publicly fined for not registering can run into the thousands and lose you a contract on top.

---

How to register: step-by-step

Registration is done online, takes about ten minutes, and renews annually.

1. Go to the ICO’s registration page. The official URL is ico.org.uk/registration. There are several third-party services that will offer to register on your behalf for an inflated fee. Don’t use them. The official process is straightforward and free of charge beyond the statutory fee.
2. Run the self-assessment. The ICO will ask a short series of questions to confirm whether you need to register and which fee tier applies. Have your turnover and headcount figures to hand.
3. Provide organisation details. Company name, registered address, Companies House number if applicable, and the name and contact details of a designated person responsible for data protection (this does not have to be a formally appointed Data Protection Officer for most SMEs).
4. Pay the fee. Card payment or direct debit. Direct debit is slightly cheaper and renews automatically, which removes the risk of accidentally lapsing.
5. Receive your registration number. Once paid, you’ll get a registration number, typically beginning with “Z” or “ZA”. Keep this on file. It often comes up in tenders, supplier questionnaires and insurance applications.

Renewal is automatic if you set up direct debit. If you paid by card, you will need to re-register manually each year before your renewal date.

---

Common mistakes to avoid

A handful of misconceptions account for most of the businesses we see fall foul of ICO requirements:

“We don’t really hold customer data.” If you take customer phone calls, hold a contacts list, send invoices, or have employees, you process personal data.

“We’re too small to need to register.” Sole traders processing personal data need to register. The Tier 1 fee was designed specifically for very small businesses.

“Our website doesn’t collect anything sensitive.” A simple contact form, an enquiry form, or a newsletter signup all involve processing personal data.

“We registered when we incorporated, that’s enough.” ICO registration is annual, not one-off. It must be renewed every year, and many businesses lapse without realising.

“We use a CRM provider, so they handle it.” Your CRM provider may be a data processor, but you remain the data controller. The legal duty to register sits with you.

“We’ve never heard from the ICO, so it must be fine.” The ICO’s enforcement is increasingly automated and increasingly active. Not having heard from them yet is not the same as being compliant.

---

What ICO registration is, and isn’t

It is worth being clear about what registration actually achieves. Paying the data protection fee and appearing on the public register makes you legally compliant on that specific point. It does not, on its own, mean you are compliant with the wider UK GDPR or the Data Protection Act 2018.

The wider compliance picture includes things like having an appropriate privacy policy, holding a lawful basis for each type of data processing, keeping records of processing activities, having appropriate security measures, knowing how to handle a subject access request, and having a process for reporting personal data breaches within 72 hours of becoming aware of them.

ICO registration is the starting point. It is not the finishing line. But it is the obvious, public, easy-to-check first thing that regulators and procurement teams look at, and getting it right matters because everything else depends on it.

---

Where this fits with cyber security and Cyber Essentials

Data protection compliance and cyber security are two sides of the same coin. The UK GDPR requires “appropriate technical and organisational measures” to keep personal data secure. In practice, that overlap means most businesses pursuing Cyber Essentials or ISO 27001 are already doing much of the work that data protection compliance requires.

For organisations that hold genuinely sensitive personal data, especially in healthcare, financial services and legal practices, demonstrable security controls are no longer optional. ICO registration is the legal baseline; appropriate cyber security is what makes the data you hold actually safe.

---

How System Force IT helps

We are a UKAS-accredited ISO/IEC 27001:2022 certified managed service provider. That means our own information security management system is independently audited to the international standard, and the same governance discipline shapes how we support our clients.

Compliance reviews are a standard part of our managed IT engagements. For every client, we periodically check public-register entries (including the ICO register), highlight gaps that need addressing, and make sure that the controls our clients rely on are actually in place. We do this whether the client asks for it or not, because it is part of what proper IT support looks like in 2026.

If you are unsure whether your business is registered with the ICO, the quickest check is the ICO’s own public register at ico.org.uk/ESDWebPages/Search. Search for your company name. If you don’t appear, you almost certainly need to register.

If you’d like a wider compliance and cyber-security review, including ICO status, Cyber Essentials readiness, and a Microsoft 365 security baseline, we offer a free, no-obligation assessment. We’ll tell you honestly what’s missing and prioritise what actually needs fixing.

Or call us directly: 01452 701355. We are based in Gloucestershire and work with UK SMEs across professional services, manufacturing, healthcare, financial services, and trade businesses.

---

About System Force IT

System Force IT is a managed IT and cyber-security provider based in Gloucestershire, serving UK SMEs across regulated and high-trust sectors. UKAS-accredited ISO/IEC 27001:2022 certified, Microsoft Solutions Partner, Cyber Essentials practitioners. We don’t sell ICO registration as a service, and we receive no commission for highlighting compliance gaps. It is simply part of how we look after the businesses we support.

This guide is provided for general information and does not constitute legal advice. ICO fees and rules can change; always check the current position at ico.org.uk. If you have specific questions about your obligations, you should seek qualified legal advice.