Beware of scams

We are aware of scams coming from email and social media where people try to impersonate us. We will never ask you for money or your bank details. Learn more about what to look out for and how to protect yourself.

What is the ICO data protection fee and do I need to pay it?

The Information Commissioners Office (ICO) is a UK independent authority with a remit to enforce data protection legislation. It ensures that relevant UK organisations that process personal data comply with the most up-to-date policies and execute effective data protection practices.

Under the General Data Protection Act 2018 opens in new window organisations processing personal information (such as financial or address details) are required to pay a data protection fee unless they are exempt.

Read our guide on how to protect customer data opens in new window.


What is the ICO data protection fee?

The ICO data protection fee helps fund the ICO’s work in providing advice and guidance about how to comply with the law opens in new window.

It is a legal requirement set by the Data Protection Act 2018 that UK organisations collecting, storing, and sharing personal data pay the ICO data protection fee each year unless they are exempt.

Some companies, such as public authorities and non-profit organisations, may be exempt from payment, and specific charities could be eligible for a reduced fee.


What is the ICO data protection fee used for?

The role of the ICO is to uphold information rights in the public interest opens in new window and the ICO data protection fee is used to fund the ICO’s work providing advice and guidance about how to comply with the law opens in new window.

It is used to raise awareness and educate organisations on the importance of robust data protection policies and the consequences of not upholding effective data protection methods.

Some of the ways opens in new window the ICO does this include:

  • funding public awareness campaigns through social media platforms opens in new window, blogs, and email
  • delivering training, seminars, and workshops to organisations or hosting educational events in local areas
  • producing detailed reports and documents entailing relevant data protection rules opens in new window and regulations aimed at both organisations and individuals
  • conducting investigations to see if companies have breached data protection rules, including hiring staff opens in new window and accessing the technologies needed for dealing with complex cases involving data
  • pursuing legal action if a company has breached the rules, such as by paying court fees and other legal expenses.

Read our guide on data processors v data controllers opens in new window.


Do I need to register with the ICO?

Every organisation or sole trader opens in new window who processes personal information needs to pay the data protection fee to the ICO unless exempt opens in new window.

You’ll need to assess whether you process personal data.

The ICO provides a free self-assessment opens in new windowquestionnaire on its website to help determine whether your organisation needs to pay the fee.

You can register online on the ICO’s website, where you’ll be asked to provide information about the data you process, how you manage it, and who has access to it.

Once you enter your details, the ICO determines how much you must pay annually.


What does processing personal data mean?

Processing personal data encompasses a range of criteria such as collecting, storing, and recording various types of information such as:

  • names
  • addresses
  • telephone numbers
  • social media accounts
  • email addresses.

Larger organisations that conduct large-scale data processing may need to hire a Data Protection Officer, opens in new windowespecially if collected and processed data falls under the “special categories of data” criteria.

This covers more sensitive information that calls for strict protection, such as:

  • medical records
  • race or ethnicity
  • political opinions or trade union membership
  • religious, spiritual, and philosophical views
  • genetic data
  • biometric data
  • the individual’s sex life or their sexual orientation.


How much is the ICO fee?

The cost of the ICO data protection fee  opens in new windowis subject to the following:

  • the size of your organisation
  • the number of employees
  • annual turnover
  • whether your organisation is a public authority
  • if your organisation is a charity or a small occupational pension scheme.

There are three tiers of fees, and as of 2023, the annual fees currently stand as follows:

  • Tier 1 is aimed explicitly at micro-organisations, meaning that the business has a maximum turnover of £632,000 for its financial year or has no more than ten staff members; tier one organisations are expected to pay £40.
  • Tier 2 targets small to medium enterprises, meaning the business turns over an annual maximum of £36mn for its financial year and does not have more than 250 staff employees; tier two organisations are required to pay £60.
  • Tier 3 is for large organisations with a turnover exceeding £36mn and more than 250 employees; tier three organisations must pay £2,900.

It’s important to note that public authorities are classified into these tiers based on the number of employees opens in new window, not turnover.

Moreover, regardless of size and turnover, charities need only pay the Tier 1 fee.


How can I check if my business is exempt?

To check if your business is exempt from ICO payments, you can use the ICO’s free self-assessment. opens in new window

Companies may be exempt if:

  • they’re processing data exclusively for staff administration purposes
  • they’re only using data for advertising, marketing opens in new window, and public relations as a means to promote their business
  • they’re non-profit organisations that only use data to organise activities for members or people who regularly interact with your group.

To avoid penalties, checking with the ICO is important to ensure your company is exempt.


Penalties for non-payment

Failure to pay the annual fee may be subject to penalties from the ICO.

Fines can range up to £4,350 opens in new window depending on the size and turnover of the business.

In addition to a monetary fine, the ICO can also make public the names of those who have paid and those who have not paid their data protection fee, which could harm the reputation of your business.


When and how do I pay the fee?

The ICO requires annual renewable payments, usually one year from the day of initial registration.

If you’re paying for the first time, you can call or pay on the ICO’s website.

You can pay via credit or debit card, cheque, or set up a direct debit.

Additionally, organisations that pay their fees via direct debit receive a £5 discount, meaning many small businesses pay £35 annually.


Learn with Start Up Loans and help get your business off the ground

Thinking of starting a business? Check out our free online courses in partnership with the Open University on being an entrepreneur.

Our free Learn with Start Up Loans courses opens in new window opens in new window include:

Plus free courses on finance and accounting, project management, and leadership.


Reference to any organisation, business and event on this page does not constitute an endorsement or recommendation from the British Business Bank or the UK Government. Whilst we make reasonable efforts to keep the information on this page up to date, we do not guarantee or warrant (implied or otherwise) that it is current, accurate or complete. The information is intended for general information purposes only and does not take into account your personal situation, nor does it constitute legal, financial, tax or other professional advice. You should always consider whether the information is applicable to your particular circumstances and, where appropriate, seek professional or specialist advice or support.

Feeling Inspired?