UK ICO Data Protection Registration Checker

Check if you must register with the UK ICO and estimate your data protection fee tier

Answer a few questions about your organisation type, size, and data processing to determine your UK Data Protection Act 2018 registration obligation and fee tier (Tier 1 £40, Tier 2 £60, Tier 3 £2,900). Covers public authority and small-charity rules. Runs in your browser. It runs free in your browser on Gera Tools, with nothing uploaded.

Last updated Source: Gera Tools

Do all businesses have to register with the ICO?

No. You must pay the data protection fee only if you process personal data and are not covered by an exemption. Organisations that process data solely for staff administration, advertising, accounts, or membership records of a not-for-profit can be exempt, but most businesses that hold customer or marketing data must pay.

The UK Information Commissioner’s Office (ICO) requires most organisations that process personal data to pay an annual data protection fee under the Data Protection (Charges and Information) Regulations 2018. This checker walks through the exemption rules and the tier thresholds so you can see whether you must pay and roughly how much.

How it works

The decision runs in two stages. First, an exemption test: if you do not process personal data at all, or you only process it for one of the narrow exempt purposes (staff administration, advertising/marketing your own goods, keeping accounts, or a not-for-profit’s own membership records) with no other processing and no automated decision-making, you may not need to pay.

If you are not exempt, the tier is set by size:

Charity (any size)                         -> Tier 1 (£40)
Public authority   <=10 staff              -> Tier 1
                   <=250 staff             -> Tier 2 (£60)
                   >250 staff              -> Tier 3 (£2,900)
Other org  <=10 staff  AND <£632k turnover -> Tier 1
           <=250 staff AND <£36m turnover  -> Tier 2
           otherwise                       -> Tier 3

A £5 discount applies to Tier 1 and Tier 2 if you pay by direct debit.

Understanding the exemptions more precisely

The exemptions under the Data Protection (Charges and Information) Regulations 2018 are narrower than many businesses assume. An organisation is only exempt if it meets one of these specific conditions and does no other personal data processing:

Processing for staff administration. This covers payroll, sick pay, managing personnel records, and disciplinary processes — but only the organisation’s own staff. Using an external HR software platform that profiles employees or runs analytics likely takes you outside the exemption.

Processing for advertising or marketing your own products and services. This exemption is for basic self-promotion — holding a list of past customers to send them newsletters, for example. If you also hold prospect data, data bought from third parties, or run behavioural profiling, you are outside the exemption.

Keeping accounts and financial records. Basic bookkeeping and tax records fall here, but if your accounting system also stores customer contact history or links to a CRM, you likely exceed the exemption.

A club, association, or not-for-profit processing only its own members’ data. A local sports club keeping a member register is the archetypal case. Selling merchandise to non-members, running a public-facing website that collects signups, or holding donor data from the public moves you out of this exemption.

No automated decision-making. Any of the above exemptions is voided if you use automated tools that make decisions affecting individuals — for example, a system that auto-scores credit applications or auto-segments marketing audiences.

What counts as “processing” personal data

The ICO takes a broad view. Processing includes collecting, storing, using, sharing, deleting, or even just holding personal data on a system. Holding a spreadsheet of customer email addresses counts. Using Google Analytics on a website counts (it processes IP addresses). Sending a monthly newsletter counts. Even encrypted data about identifiable individuals typically counts.

A sole trader who holds only their own data does not need to register — but the moment they store a customer’s name and email, they are processing personal data.

Practical examples

  • A 6-person marketing agency with £400,000 turnover holds client and prospect contact data. Not exempt (processes data beyond the narrow purposes). Falls into Tier 1 at £40, or £35 by direct debit.
  • A 40-person manufacturer with £5m turnover runs a website that collects inquiry forms and stores supplier contacts. Tier 2 at £60.
  • A 300-person local authority is a public authority. Over 250 staff → Tier 3 at £2,900.
  • A registered charity of any size pays Tier 1 at £40 regardless of staff or turnover.

Notes and example

Always confirm against the ICO’s official self-assessment before relying on the result, because edge cases such as CCTV use, processing on behalf of others (data processor vs data controller distinctions), and mixed-purpose processing can change the answer. The ICO’s online registration takes only a few minutes and the fee payment can be set up by direct debit for the £5 discount.