If you’re setting up a business – either as a sole trader or a limited company – you must register with the ICO if you are processing personal data. As a small business owner, it is important to know about the ICO, as you are required to pay a small annual fee (starting from £51 per year) which will help you ensure that your data is protected.
The Information Commissioner’s Office (ICO) is the “UK’s independent authority set up to uphold information rights in the public interest, promoting openness by public bodies and data privacy for individuals.” The ICO is headed by the Information Commissioner, John Edwards, as of January 3, 2022.
Key takeaways
- Registering with the ICO is legally required for most organisations that handle personal data.
- The ICO can issue fines up to £17.5 million or 4% of total annual worldwide turnover, depending on the severity of the breach.
- Appointing a Data Protection Officer (DPO) is compulsory for organisations involved in high-risk data processing activities.
Do I need to register with the ICO?
Any business that holds information about clients will likely need to register with the ICO, and most business activities require some kind of data collection.
If you are unsure, here are some examples of business activities that fall under ICO rules.
| Activity That Counts Under ICO Rules | Explanation |
|---|---|
| Collecting personal data | Gathering names, emails, phone numbers, addresses, or any other identifiable information. |
| Storing personal data | Keeping customer, client, subscriber, or employee details in any system (CRM, spreadsheets, email lists, etc.). |
| Using personal data | Sending newsletters, marketing emails, segmenting audiences, or using data for analysis or decision-making. |
| Updating or amending data | Editing or correcting personal details you hold. |
| Sharing personal data | Passing data to third parties such as email platforms, analytics tools, payment processors, or freelancers. |
| Accessing personal data | Viewing or retrieving stored personal information. |
| Profiling or automated decision-making | Using tools that analyse or categorise people based on their data. |
| Processing employee data | Payroll, HR records, contracts, or performance data. |
| CCTV monitoring | If recorded footage can identify individuals. |
What is the purpose of the ICO?
The Information Commissioner’s Office (ICO) was created in 1984 under the Data Protection Act. It exists to uphold information rights and ensure organisations handle personal data responsibly. The purpose of the ICO is to provide guidance to businesses, investigate complaints, and have the authority to take action against organisations that misuse or fail to protect personal information. In essence, the ICO helps maintain public trust by ensuring that data is collected, stored, and processed fairly, lawfully, and securely.
The ICO addresses a range of issues, including data protection complaints and other data-related matters.
- Data protection complaints – the ICO handles complaints in relation to regulatory concerns about how organisations handle personal data.
- Registration – most organisations which handle data are required to register with the ICO and pay an annual fee, as well as provide an up-to-date list of Data Protection Officers (DPO).
- Enforcement – the ICO can take action against any data protection breaches, conducting investigations, making decision notices, issuing fines, and pursuing matters through the courts if necessary.
- Guidance – the ICO provides detailed guides to data protection and information law regulations, as well as creating resources which explain the rights of individuals in relation to their personal data, along with the responsibilities of organisations which control or process personal data.
Although the ICO is an independent public body, it is sponsored by the Department for Science, Innovation and Technology.
Registering with the ICO
You can register with the ICO on its website. The process can typically be completed in under 15 minutes online.
Any organisation (including limited companies and sole traders) that processes personal data is required to register with the ICO, subject to certain limited exemptions (e.g. elected representatives, such as MPs and councillors in county councils).
The requirement to register with the Information Commissioner’s Office and pay the relevant fee (see below) is set out by Data Protection (Charges and Information) Regulations 2018, and failure to do so will result in a fixed penalty.
The ICO maintains a public register of organisations and people who have registered, which includes:
- Name and address of the registered company/individual (along with any other trading names);
- Registration number;
- Payment tier;
- Date of initial registration and expiry date of current registration period; and
- Name and contact details for Data Protection Officer (see below) if applicable.
Take the stress out of filing deadlines with our Full Company Secretary Service.
Fees for the ICO
There is an annual fee to pay upon registration, with three tiers, depending on company size and turnover:
- Tier 1 (£52) – this applies to organisations which have a maximum turnover of £632,000 for their financial year, and a maximum of 10 members of staff (this includes all employees, workers, office holders and partners).
- Tier 2 (£78) – the cap on turnover is £36 million, and there should be no more than 250 members of staff.
- Tier 3 (£3,763) – the largest organisations by turnover and/or staff will fall into this category.
If you are unsure, the ICO provides an online self-assessment tool to help businesses and individuals determine whether they need to register.
How to register with the Information Commissioner’s Office
Our ICO Registration Service costs £89.99 +VAT and includes the data protection fee of £52.
If you have not yet formed your company, you will be able to add the ICO Registration Service to your basket after choosing a company formation package.
If you are already a QCF customer, you can purchase the ICO Registration Service from your Online Client Portal:
- Log in to your QCF account
- Click ‘My Companies’ and then select ‘View’ next to your company name
- Select the ‘Shop’ tab and then click ‘Add’ next to ‘ICO Registration Service’
- Proceed to the payment page and pay to complete your order
We will send you an ICO registration questionnaire via email as soon as you have made payment.
If you are not an existing QCF customer, you can still by our ICO Registration Service by calling us on 020 3908 0044.
Adding a Data Protection Officer (DPO)
The General Data Protection Regulation (GDPR) introduced a requirement for public authorities/bodies or companies carrying out certain types of personal data processing (e.g. large-scale online behavioural tracking or processing of data relating to criminal convictions, etc.) to appoint a Data Protection Officer (DPO). The role of a DPO is essentially to monitor internal compliance with data protection rules and to act as a source of advice and initial point of contact for such matters, liaising with third parties (including the ICO) where necessary.
To add a DPO, companies should send an email to: [email protected] with the subject line: ‘Add a DPO’ along with the required details of the DPO.
Making a data protection complaint
The Information Commissioner’s Office deals with a wide range of complaints regarding the use of personal information by organisations, including:
- Nuisance phone calls, spam emails or text messages.
- Concerns about how an organisation is using personal information (e.g. if information is incorrect, is held for too long, or is not being kept secure).
- Cookie consent – The ICO provides an online resource for reporting concerns about specific cookies or similar technologies being deployed by websites.
- Right to be forgotten – If an internet search (e.g., via Google) brings up search results that include personal information with a detrimental impact (e.g., containing defamatory comments), then the ICO can investigate this and may take enforcement action if appropriate.
- Freedom of Information – If a public body is frustrating a legitimate Freedom of Information request (i.e., in contravention of its duties under the Freedom of Information Act), individuals can complain to the ICO.
To make a complaint relating to data protection or the (mis)use of personal information, follow the instructions on the ICO website.
What are the enforcement powers of the Information Commissioner’s Office?
Enforcement powers of the ICO are set out in Part 6 of the Data Protection Act 2018 (DPA). One of the key tools at the disposal of the ICO is the power to issue fines for data protection law breaches; these are known as penalty notices. The GDPR significantly increased the maximum limit of penalty notices from £500,000 to £17.5 million or 4% of global annual turnover (whichever is higher).
The DPA also arms the Information Commissioner’s Office with the power to issue three other specific types of notices, namely:
Information notices
An information notice is a formal request for a data controller, processor, or individual to provide the ICO with certain information that will assist in an investigation into a suspected compliance failure. There will be a specified time frame within which the information must be provided. The provision of false information in connection with an information notice may lead to a criminal conviction.
Assessment notices
Under section 146 of the DPA, the ICO can issue an ‘assessment notice’ which essentially requires a data controller or processor to allow ICO representatives to conduct an investigation. This may include requiring the controller or processor to:
- Permit ICO representatives to enter specified premises (i.e. to find evidence of a potential data protection breach).
- Direct ICO representatives to the relevant documents or equipment on the premises.
- Provide copies of any potential evidence.
- Allow ICO representatives to observe the processing of personal data which takes place on the premises.
- Organise interviews with relevant staff and contractors.
Assessment notices may be issued based on ‘urgent’, ‘no-notice’ or ‘short-notice’ depending on the circumstances (e.g. if the ICO believes there is a threat of evidence being destroyed).
Enforcement notices
If the Information Commissioner’s Office is satisfied that an organisation has failed in its duties under data protection or information law, it can issue an enforcement notice.
This will specify actions which the organisation must take to rectify their failings and bring it into line with the regulations, or alternatively it will require that certain actions are stopped (e.g. processing of personal information). Specific timescales will normally apply.
Failure to comply with information, assessment, or enforcement notices may result in a penalty notice being issued. Court action may also be taken.
To find out more about the enforcement powers of the Information Commissioner’s Office, see their Regulatory Action Policy.
The UK’s Data (Use and Access) Act 2025 (DUAA) became law on June 19, 2025, which compels individuals to attend interviews and answer questions. Non-compliance can lead to fines, and false statements could become criminal offences.
Is the ICO related to PECR, FOIA, or GDPR?
The ICO is responsible for overseeing and enforcing the PECR, FOIA and GDPR, but they are separate laws, not parts of the ICO. These are also laws which you do not need to sign up for.
PECR
The Privacy and Electronic Communications Regulations govern electronic marketing, the use of cookies, and the confidentiality of communications. They sit alongside data protection law and set rules for how organisations can send marketing messages and track users online.
FOIA
The Freedom of Information Act gives the public the right to access recorded information held by public authorities. It focuses on transparency and accountability, rather than privacy, and applies only to public sector bodies.
GDPR
The UK General Data Protection Regulation sets out the legal framework for how personal data must be collected, stored, and processed. It focuses on protecting individuals’ privacy rights and applies to any organisation handling personal data. The current UK GDPR is essentially the retained EU GDPR incorporated into UK law after Brexit.
We have made a quick comparison table here to explain the differences with all three, as well as the ICO’s role in all of them:
| Law / Regulation | What It Covers | Who It Applies To | ICO’s Role |
|---|---|---|---|
| UK GDPR | Rules for collecting, using, and protecting personal data. | Any organisation handling personal data. | Oversees compliance, offers guidance, and enforces breaches. |
| PECR | Electronic marketing, cookies, and confidentiality of communications. | Organisations sending marketing messages or using tracking technologies. | Enforces the regulations and investigates misuse of electronic communications. |
| FOIA | Public access to information held by public authorities. | Public sector bodies. | Acts as the regulator, reviews complaints, and ensures transparency obligations are met. |
Registering with the ICO for your new business
Registering with the ICO is a requirement for many new business owners who begin collecting data, no matter how small. For new businesses, it is likely that they will only pay £52 per year for this, but it is important to check with the ICO on the correct amount that you are required to pay.
Want peace of mind with your legal filings? Our Fully Inclusive Package includes everything you need to start your limited company and stay fully compliant. Our package includes the formation of a limited company and everything you will need to get started – all for just £59.99 + VAT.
At Quality Company Formations, we ensure that your business is set up for success and that the administrative side of your business is kept compliant and steady.
Join The Discussion