Data Protection Fee in the UK: Everything You Need to Know
myPOS blog Tips

Data Protection Fee in the UK: Everything You Need to Know

Tips / 10.03.2025

Running a business means always having a long to-do list—managing finances, ensuring customers are happy, keeping track of inventory, and making sure everything runs smoothly.

But have you thought about whether you need to pay the data protection fee? Many business owners don’t even realise this fee exists until they receive a letter from the UK government or the Information Commissioner’s Office (ICO).

The data protection fee is a legal requirement for any business in the UK handling personal data. Whether you’re storing emails, processing payments or managing customer accounts, you might need to get an ICO registration number and pay the annual fee. 

In this guide, we’ll break down everything you need to know about the data protection fee in the UK in simple terms. We’ll explain who needs to pay, how much it costs and how to check if your business is exempt. 

TABLE OF CONTENTS

  1. What is the data protection fee?
  2. Who needs to pay the data protection fee?
  3. How much is the data protection fee?
  4. How to pay the data protection fee
  5. Penalties and consequences of non-payment
  6. Recent updates and regulatory changes
  7. Conclusion

What is the data protection fee?

The data protection fee is an annual fee that UK businesses, organisations, and sole traders must pay if they process personal information. This includes collecting, storing, modifying or sharing data.

While some businesses and organisations qualify for exemptions, if you are handling personal data in any way, you will likely need to pay the fee.

The fee is mandatory and must be paid to the Information Commissioner’s Office (ICO) as part of your company’s legal obligation under the Data Protection Act 2018. This law enforces the General Data Protection Regulation (GDPR) in the UK. 

Failure to comply can result in fines, legal action and inclusion in public record listings.

Who is the ICO?

The ICO (Information Commissioner’s Office) is an independent public body that regulates data protection compliance in the UK. Its role is to ensure that businesses, public authorities and other organisations handle sensitive information safely, fairly and legally.

The ICO’s work includes enforcing data protection legislation, investigating complaints, and providing guidance on data protection obligations. It also maintains a public register of data controllers and takes legal action against businesses that fail to comply with UK legislation.

By overseeing how organisations process personal data, the ICO helps protect individuals from the misuse of their sensitive information. 

How does the ICO use the data protection fee?

The ICO data protection fee funds the organisation’s operations, enabling it to enforce the data protection law and ensure businesses comply with their legal requirement. 

It also supports the ICO’s efforts to raise public awareness through campaigns, training seminars and workshops that provide advice and guidance to businesses and educate organisations on how to process personal information securely.

By requiring organisations to pay the fee, the ICO promotes accountability and responsibility in how businesses handle personal data. Paying the annual fee is not just a legal obligation but also a way to demonstrate your business’s commitment to protecting customer and employee data.

Who needs to pay the data protection fee

Who needs to pay the data protection fee?

If your business processes personal data, there’s a good chance you need to pay the ICO data protection fee. The fee applies to all data controllers, meaning businesses or individuals who decide how and why personal data is used.

Many small business owners assume this doesn’t apply to them, but even basic activities—like keeping customer contact details, running a mailing list or using staff administration software—can make you liable. 

The ICO expects businesses to register and pay unless they qualify for an exemption.

Additionally, if you use closed-circuit television (CCTV), you must declare it and pay the data protection fee. Since individuals can be easily identified in CCTV footage, it is considered processing personal data.

Data controllers vs. data processors

Understanding whether you’re a data controller or a data processor is crucial, as usually only controllers need to pay the ICO data protection fee.

Data controllers decide why and how personal data is processed. They are responsible for compliance, security and ensuring that individuals’ privacy rights are protected. 

Data processors, on the other hand, simply handle data on behalf of controllers and must follow their instructions. They don’t decide what data is collected or why it’s used, so they do not need to pay the fee.

For example, if you’re a small marketing agency collecting and storing client data or managing PR accounts, you are likely a data controller and must register. But if you’re a third-party software provider processing data for other businesses, you may only be a data processor and exempt.

Who is exempt from paying the fee?

Not all businesses are required to pay a data protection fee. If you only process personal data manually (not electronically), you will probably be exempt.

You may also be exempt if your business processes personal data only for:

  • Staff administration (e.g., payroll and HR records);
  • Advertising, marketing or public relations activities (but only for your own business);
  • Accounts and records management;
  • Non-profit activities (e.g., charities or certain membership groups);
  • Personal and household affairs (e.g., maintaining an address book or financial records);
  • Maintaining a public register (for specific professions or industries);
  • Judicial functions (e.g., courts, tribunals).

Even if you believe you qualify for an exemption, it’s good practice to complete the ICO’s online application to confirm your status. Your data processing activities may change over time, so it’s important to check regularly if you still qualify for an exemption.

How to check if your business is exempt

To find out if you need to pay the ICO data protection fee, use the self-assessment checker on the ICO website. 

The tool asks key questions, such as:

  • Do you process personal data?
  • Do you process it electronically (e.g., using a CRM, email software or automated system)?
  • Are you responsible for deciding how the data is used?
  • Is your business a non-profit organisation?
  • Do you process data for a public interest, crime prevention or any other exempt activity?

The checker will guide you through the process, asking only the necessary questions. In the end, you’ll receive a clear result: either that you need to register and pay the fee, or that your business is exempt.

Keep in mind, however, that even if you are exempt, the ICO may still contact you through your Companies House registration number, and you will need to inform them of your exemption.

How much is the data protection fee?

The data protection fee is not a fixed amount, and it’s not the same for every business. Different fee structures and compliance requirements apply depending on your business size and turnover. To help you determine which category you fall into, we’ve broken them down below.

Fee structure and tiers

The ICO register divides businesses into three tiers based on annual turnover and the number of employees:

  • Tier 1: Micro organisations – Annual turnover of £632,000 or less and 10 or fewer employees
  • Tier 2: Small and medium-sized businesses – Maximum turnover of £36 million and up to 249 employees
  • Tier 3: Large organisations – Annual turnover over £36 million or more than 250 employees

Charities that are not exempt as non-profit organisations and small occupational pension schemes automatically fall under Tier 1, regardless of size or revenue.

How to calculate your fee

To determine your fee amount, simply calculate your annual turnover. You will also need to know the number of your staff members (including employees, workers, office holders and partners). 

Your staff count is based on the average number working for you throughout your financial year, and each part-time employee is counted as one full member of staff.

The applicable fees as of 2025, based on your tier category, are as follows:

  • Tier 1: £52;
  • Tier 2: £78; 
  • Tier 3: £3,763.

The fees are VAT-exempt, and if you pay by direct debit, you’ll receive an automatic £5 discount at the point of payment. Additionally, some organisations, such as certain charities, may be eligible for a reduced fee.

It’s important to provide accurate business information, as incorrect fee payments could lead to compliance issues or penalties from the ICO.

How to pay the data protection fee

How to pay the data protection fee

Once you’ve confirmed that your business is required to pay the data protection fee and isn’t exempt, the payment process is simple.

Do you need to register with the ICO?

To pay the data protection fee, you must first register online. This is done through the ICO’s website.

If you’re registering for the first time, click on “First-time payment.” For businesses that have already registеred, you’ll choose “Renew.”

You’ll need to provide details about your business, such as its size, turnover, how you handle personal data and who has access to it. Don’t worry—it only takes a few minutes and the system will guide you through everything. It will also help you determine which fee tier applies to your business.

If your initial registration has expired, the ICO will automatically consider your business as a fee payer in tier 3 unless you update your information and provide further clarification.

Payment methods and deadlines

The ICO makes paying the fee easy, offering several payment options. The supported payment methods are credit or debit card, cheque or direct debit. Using the last option will save you £5 on your annual fee.

Once you’ve completed the payment, make sure to save a copy of the payment confirmation for your records.

While there’s no fixed deadline for paying the data protection fee, the ICO will send letters reminding businesses about the requirement. These letters will also indicate a date by which they expect a response, whether you need to pay the fee or not.

If it’s your first time paying, we recommend getting your fee paid as soon as your business starts processing personal data. Waiting too long could lead to non-payment penalties and you don’t want that administrative hassle when dealing with your core business activities and potential customers.

Penalties and consequences of non-payment

The ICO data protection fee isn’t optional if your business processes personal data—it’s a legal requirement and failing to pay on time could cost you significantly. Fines can reach up to £4,000 on top of the fee itself if you miss the deadline stated in your ICO letter. But financial penalties aren’t the only consequence of non-compliance.

The ICO can take further action, including issuing enforcement notices and even pursuing legal action. On top of that, the ICO regularly publishes a list of businesses that haven’t paid, which could damage your reputation and make potential customers question your commitment to data protection.

With these risks in mind, non-payment simply isn’t worth it. The fee itself is relatively small for a year, and it’s always better to avoid unnecessary fines and harm to your business reputation by ensuring you meet your obligations.

Recent updates and regulatory changes

Recent updates and regulatory changes

If you are a business owner in the UK, you might have already heard about the recent changes to the data protection fee. In 2024, the UK government launched a review of the fee structure under the Data Protection Act 2018, with a proposal to increase costs by 37.2% for businesses handling personal data.

The review also examined how fees are calculated, discounts for direct debit payments and whether current exemptions should change.

According to the government, this increase is necessary to account for inflation and ensure the ICO has the resources to enforce the data protection law effectively.

After months of consultation, the changes were finalised in January 2025. 

The proposed increase was reduced to 30%, leading to the following new ICO fees:

  • Tier 1 (micro businesses): £52 (previously £40)
  • Tier 2 (small and medium organisations): £78 (previously £60)
  • Tier 3 (large businesses): £3,763 (previously £2,900)

While most agree that the ICO needs proper funding, many small and medium enterprises are worried about the extra cost. The government has acknowledged these concerns and passed the feedback to the ICO for further consideration. Whether this will lead to new adjustments remains to be seen.

Conclusion

Understanding the data protection fee might not be the most exciting part of running a business, but it’s one you can’t afford to ignore. If your business processes personal data, you likely need to register with the ICO and pay the fee—unless you fall under an exemption.

Skipping this step isn’t worth the risk. The UK government takes data protection obligations seriously and failure to comply could mean fines and penalties. Plus, having an ICO registration number can actually boost trust with customers—it shows you take data security seriously.

The good news? Registering is straightforward. You can check whether you are required to pay the fee via the ICO’s website. The self-assessment tool there will calculate your fee or let you know if you are exempt.

Frequently asked questions

Your questions answered

The ICO defines processingpersonaldata quite broadly. This includes handling information such as names, addresses, telephone numbers, social media accounts and emails. The following actions are considered processing:

  • Collecting or recording personal data;
  • Storing, organising or retrieving data;
  • Using, modifying or altering data;
  • Sharing personal information;
  • Erasing or deleting data.
If you’re unsure whether your business falls under these activities, you can use the ICO’s assessment tool to check if you needtopaythedataprotectionfee.

Under GDPR, individuals have the right to access and receive a copy of their personal data. This is known as a subject access request (SAR). In most cases, you cannot charge a fee to process an SAR. However, some organisations charge a small administrative cost if the request is deemed unreasonable or excessive. Additionally, a fee may apply if the individual requests further copies of the same information after an initial request. Intelligence services are an exception—they can always charge £10 for an SAR if they choose to.

Yes, it can be a GDPR breach, depending on the circumstances. Sharing someone’s personal email to third parties without their consent or a valid legal basis violates GDPR. It can also be a breach if an email address is exposed due to poor security (e.g., sending via an unencrypted channel) or if multiple recipients’ emails are visible due to CC instead of BCC. However, sharing an email is not a breach if the individual has given explicit consent or if there is a legitimate reason that does not override their rights, such as internal business communication.

Desi Tzoneva

Author

Desi Tzoneva

Related posts

Cookie

Select your cookie preference

We use two types of cookies - Necessary and Personalisation cookies. Necessary cookies are stored and processed in order to ensure you can access our website and view all its content in a bug-free and seamless manner, while Personalization cookies help us to provide you with more relevant content. If you continue using this website without clicking on the accept button below, we will not store or process any Personalization cookies for you. You can manage the way you interact with our cookies anytime by clicking on the cookie settings in the footer or the “Customize Cookies” button below.

You will find more information, including a list of each type of cookie, its purpose and storage duration, in our Cookies Policy.