Data protection · 1 July 2026
ICO registration explained: the data protection fee and who must pay
Most UK organisations that handle personal data have a legal duty to register with the Information Commissioner’s Office (ICO) and pay an annual data protection fee. It’s a straightforward obligation, but an easy one to overlook. This guide explains who must pay, how much, and how to do it.
What ICO registration is
Under the Data Protection (Charges and Information) Regulations 2018, organisations that process personal data must pay a data protection fee to the ICO unless they’re exempt. The fee funds the ICO’s work as the UK’s independent data protection regulator. In practice, paying the fee places your organisation on the ICO’s public register of fee payers.
This is a legal requirement, separate from your other UK GDPR obligations — meeting your data protection duties well doesn’t remove the need to register.
Who must pay
The starting position is that most organisations that process personal data must pay the fee. This includes companies, sole traders, partnerships and many others. Care and health providers, who process personal and health data as a matter of course, almost always need to pay.
There are limited exemptions. You may not need to pay if you only process personal data for certain purposes, such as:
- Staff administration
- Advertising, marketing and public relations for your own business
- Accounts and records
- Not-for-profit purposes (subject to conditions)
- Purely personal, family or household activities
- Certain judicial functions
Because these exemptions are narrow and easily misjudged, the ICO provides a self-assessment tool to check your position. If you process personal data for the purposes of delivering a service — as care providers do — you’ll almost always fall outside the exemptions and need to pay.
How much it costs
The fee is set in three tiers, based mainly on your size and turnover. The tiers are:
| Tier | Broadly applies to |
|---|---|
| Tier 1 | Small organisations and businesses (lower turnover or few staff) |
| Tier 2 | Medium organisations |
| Tier 3 | Large organisations |
There is a small reduction for paying by direct debit, and some organisations, such as charities and small occupational pension schemes, pay a reduced Tier 1 fee regardless of size. The ICO publishes the current fee amounts for each tier — always check the ICO’s website for the exact figures before you pay, as these are set by regulation and can change.
How to register
Registration is done directly through the ICO’s website. You’ll typically need:
- Basic details about your organisation
- Information about your turnover and number of staff (to determine your tier)
- A payment method for the annual fee
The process is designed to be completed online in one sitting. Once registered, you must renew annually and keep your details up to date.
Keeping it current
The data protection fee is an annual obligation. Set a reminder to renew, and update your registration if your circumstances change — for example if you grow into a higher tier. Letting registration lapse is a common and avoidable oversight, and the ICO can take enforcement action against organisations that fail to pay when required.
How this fits your wider obligations
ICO registration is one part of a broader data protection picture. Alongside it, you should have your RoPA, privacy notices, a breach procedure and staff training in place. Registration confirms you’re on the ICO’s radar as a fee payer; the rest demonstrates you’re actually meeting your duties. For care providers, our UK GDPR in healthcare guide ties these together.
Common mistakes
- Assuming you’re exempt without checking the ICO’s self-assessment
- Forgetting to renew the fee each year
- Not updating your tier as the organisation grows
- Treating registration as the whole of data protection compliance, rather than one piece of it
If any of the terminology here is unfamiliar, our glossary explains the key terms.
How to work out your tier
Because the fee depends on your size, it’s worth understanding how the tiers are judged. The ICO looks broadly at your annual turnover and number of staff, with different thresholds separating the tiers, and there are special rules for certain organisation types such as charities and public authorities. A small care provider will usually fall into the lower tier, but a growing group may move up as it takes on more staff or turnover. If you’re unsure which tier applies, the ICO’s website sets out the current thresholds alongside the fee amounts — always check there before you pay, since the figures are fixed by regulation rather than by us.
Registration is a duty, not a certificate
A useful way to think about ICO registration is that it’s a legal duty to pay, not a badge of compliance. Being on the ICO’s register confirms you’ve met the fee obligation; it does not, by itself, mean your data protection practices are sound. The two go together: you pay the fee and you meet your UK GDPR duties. Some organisations mistakenly believe that once they’ve registered, their data protection obligations are complete — in reality, registration is one small administrative step within a much broader set of responsibilities.
A quick annual checklist
To stay on the right side of the requirement:
- Check whether you’re exempt using the ICO’s self-assessment
- Register and pay the correct tier if you’re not exempt
- Set a renewal reminder so the fee doesn’t lapse
- Update your details if your size or circumstances change
- Keep it in proportion — registration is one piece of your wider compliance
How we can help
Registering with the ICO is simple, but knowing whether it applies to you and getting the wider compliance picture right is where many organisations want support. We offer a clear, fixed-fee engagement that confirms your registration position and helps you put the surrounding data protection foundations in place. To find out more, explore our data protection service or get in touch for a friendly, no-obligation chat.
Need help in practice? See our Data Protection & UK GDPR service.