Alex is Sprintlaw’s co-founder and principal lawyer. Alex previously worked at a top-tier firm as a lawyer specialising in technology and media contracts, and founded a digital agency which he sold in 2015.
Contents
If you run a small business in the UK, chances are you handle personal data every single day.
That might be customer names and email addresses, employee records, supplier contact details, or even CCTV footage from your premises. And once you’re handling personal data, a common question comes up: do you need to join the data protection register and get a data protection registration number?
It can feel like one more admin task in a long list - but for most small businesses, figuring this out is fairly straightforward once you understand (1) what the “data protection register” actually refers to in the UK, and (2) who is legally required to pay the ICO’s data protection fee.
Below, we’ll break it down in plain English, from a small business perspective, including what registration is, when you need it, what number you get, and what happens if you ignore it.
What Is The Data Protection Register (And Is It The Same As GDPR Compliance)?
In the UK, people often use the phrase data protection register to refer to the public record of organisations that have paid the ICO data protection fee (sometimes called the “public register of fee payers”).
It’s important to know what this is and what it isn’t:
- It’s not a “GDPR licence”. Paying the fee (and appearing on the public register) doesn’t automatically make you compliant with the UK GDPR and the Data Protection Act 2018.
- It’s not optional if you’re required to pay the fee. If your business falls within the rules, you must pay the fee (unless an exemption applies).
- It’s a visibility and accountability tool. Being on the register helps others identify organisations that have paid the fee, and it supports transparency around data processing.
So, think of it like this: appearing on the data protection register is often a baseline legal step for organisations that need to pay the ICO fee - but it’s only one piece of a wider data protection compliance puzzle.
What Is A “Data Controller” In Simple Terms?
Your business is usually a data controller if you decide:
- what personal data you collect (eg customer contact details),
- why you collect it (eg to fulfil orders or send invoices), and
- how you use it (eg CRM systems, marketing lists, accounting software).
Most small businesses are controllers for at least some of the personal data they handle - but being a controller doesn’t always mean you automatically have to pay the ICO fee (exemptions can apply).
Do Small Businesses Need To Register On The Data Protection Register?
Many do - but not all.
In the UK, an organisation typically needs to pay the ICO data protection fee (and appear on the public register) if it processes personal data, unless it can rely on an exemption.
In practice, many trading businesses won’t be fully exempt, because they process personal data for things like:
- customer records (names, addresses, emails, phone numbers),
- employee administration (payroll, HR, sickness records),
- marketing (email newsletters, remarketing audiences),
- security and monitoring (CCTV),
- client account management and service delivery.
Even if you’re a one-person business, if you’re handling personal data in the course of your work, it’s still worth checking whether the ICO fee applies to you.
Common Situations Where Registration Is Often Needed
You should take a close look at the ICO fee rules if you do things like:
- Run an online shop and take customer orders and delivery details
- Provide services and keep client contact files
- Employ staff (even one employee) and manage payroll or HR records
- Use CCTV in or around your premises
- Send marketing emails or manage a mailing list
If you’re collecting personal data through your website, it’s also a good time to make sure you have a clear Privacy Policy that matches what you actually do with that information.
Are There Any Exemptions For Small Businesses?
Yes - and this is where many small businesses get caught out.
Some organisations are exempt from paying the ICO fee if they only process personal data for certain limited purposes (commonly, staff administration, accounts and records, or certain types of advertising/PR). In other words, it’s not just about your size - it’s about what you do with personal data.
However, many businesses process data in ways that can fall outside those narrow purposes (for example, running broader marketing activities, using CCTV in certain ways, or offering services that involve more detailed customer records). If you process personal data for multiple purposes, you may also lose the benefit of an exemption.
This is one of those areas where tailored advice can be worth it, because the cost of getting it wrong can be much higher than the cost of registering properly.
What Is A Data Protection Registration Number (And Why Does It Matter)?
When your business pays the ICO data protection fee, you’ll receive a data protection registration number (often called your ICO registration number).
This number matters because it helps demonstrate that you’ve taken the formal step of paying the fee where required. Depending on your industry, you may be asked for it by:
- clients (especially B2B customers doing due diligence),
- partners or suppliers,
- procurement teams,
- organisations you contract with where you handle personal data.
It can also be useful internally as part of your compliance recordkeeping - especially if you’re updating policies, onboarding staff, or responding to data-related queries.
Do You Need To Display Your Registration Number On Your Website?
There isn’t a one-size-fits-all requirement to display your data protection registration number on your website. However, some businesses choose to include it in:
- privacy notices,
- email footers,
- tender documents,
- vendor onboarding forms.
If you include it publicly, make sure the rest of your public-facing privacy information is also accurate and consistent. A well-drafted GDPR package can help you line up the “paperwork” with what’s happening day-to-day in the business.
How Do You Register For UK Data Protection (And Get On The Data Protection Register)?
Paying the ICO fee (where required) is usually an online process. The key is to work out whether you need to pay it, and if so, submit the correct details.
While the steps can vary depending on your circumstances, the process generally looks like this:
1) Confirm Whether Your Business Is A Controller
Most businesses are. If you decide the purpose and method of processing personal data (rather than just following another organisation’s instructions), you’re likely acting as a controller.
2) Identify What Personal Data You Handle
Before you register, it helps to map out what you actually do with data. Keep it practical - you’re not writing a dissertation. For example:
- customer enquiries via website form
- client records in your CRM
- invoices and payment records
- employee files and payroll
- CCTV for security
Once you’ve done this, you’ll also be in a much better position to implement data protection processes that work “in real life”, like an Acceptable Use Policy for your team.
3) Register And Pay The Data Protection Fee (If Required)
If you’re required to pay the fee, you’ll submit your organisation’s details and pay the relevant amount. Fees can depend on your business size, turnover, and staff numbers, so it’s important to select the correct tier.
4) Keep Your Registration Details Up To Date
This part is often overlooked. If your business details change - for example, your trading name, address, or legal structure - you may need to update your registration.
And if you’re scaling (hiring, expanding locations, launching a new product), it’s worth reviewing your wider GDPR compliance as well, including your privacy information, internal policies, and contracts with suppliers who process personal data on your behalf.
What Happens If You Don’t Register (Or You Register Incorrectly)?
If you’re required to pay the ICO fee but you don’t, your business can face regulatory action.
That could include:
- Enforcement action and penalties for failing to pay the fee when required
- Extra scrutiny if a complaint is made about how you handle personal data
- Commercial consequences (eg losing out on contracts where clients require confirmation of your registration status)
- Reputational damage - particularly if you handle sensitive data or work with vulnerable customers
Just as importantly, registration mistakes can sometimes signal deeper compliance gaps. For example, if you say you don’t process employee data - but you actually have staff - that mismatch can create risk.
A Quick Note On “Data Protection Register” Searches
Many business owners search “data protection register” because they want to:
- check whether their business is already registered,
- verify a supplier or partner’s registration, or
- find their data protection registration number.
Those are all sensible reasons to search. Just keep in mind that being on the data protection register (ie the ICO’s public register of fee payers) is not the same thing as being fully compliant with UK GDPR obligations (like having the right policies, lawful bases, security measures, and contracts in place).
Practical Data Protection Steps Small Businesses Should Take (Beyond Registration)
Once the ICO fee position is sorted (or you’ve confirmed you’re exempt), the next step is making sure you’re operating in a GDPR-smart way from day one.
Here are practical, small-business-friendly steps that can make a big difference.
Have The Right Privacy Information In Place
At a minimum, if you collect personal data from customers or website visitors, you should have a clear Privacy Policy explaining:
- what you collect,
- why you collect it,
- who you share it with (eg payment providers, couriers),
- how long you keep it, and
- how people can exercise their rights.
If you use cookies or online tracking tools, you’ll likely also need a cookie policy and appropriate consent approach (especially where required).
Make Sure Your Contracts And Internal Rules Match Your Data Reality
If your staff use work devices, personal devices, or shared logins (very common in small teams), data protection risk can creep in quickly.
Consider putting clear rules in place about:
- password management,
- device security and updates,
- where business data can be stored,
- how staff can share files safely.
This is where an BYOD policy approach can be a lifesaver if your team uses personal phones or laptops for work.
Check Your Tools Are Set Up With GDPR In Mind
Most small businesses rely on cloud tools (storage, email, CRMs, booking platforms). That’s fine - but you should make sure you’ve configured them appropriately, with access controls and the right settings.
If you’re unsure where the risks sit, it’s worth pressure-testing your setup, especially for file storage and sharing. Even something as simple as understanding cloud storage compliance can help you avoid accidental data breaches.
If You Monitor Staff Or Customers, Be Extra Careful
CCTV, audio recording, location tracking, and device monitoring can trigger heightened privacy obligations. You’ll want to be confident you have:
- a lawful basis for monitoring,
- clear signage/notices,
- strict access controls, and
- a clear retention policy.
It’s especially important to be cautious where audio is involved, as it can raise additional privacy risks. If your business is considering this, it’s worth understanding the rules around CCTV with audio before you install or switch features on.
Be Ready To Respond To Data Requests And Data Breaches
Even small businesses can receive:
- requests from customers to access or delete their data,
- queries about marketing opt-outs,
- complaints about how data is used, or
- security incidents (lost devices, misdirected emails, hacked accounts).
Having a plan matters - because when an incident happens, you won’t want to start building processes from scratch under pressure.
For many businesses, it’s helpful to have a data protection “baseline kit” in place (policies, training, contracts, and response plans) so your team knows what to do and who is responsible.
Key Takeaways
- The data protection register commonly refers to the ICO’s public register of organisations that have paid the UK data protection fee where required.
- Many small businesses do need to pay the fee and will receive a data protection registration number (ICO registration number), but exemptions can apply depending on what data you process and why.
- Paying the fee isn’t the same as full compliance - you still need to follow the UK GDPR and the Data Protection Act 2018 in how you collect, use, store, and share personal data.
- If you’re required to pay the fee but don’t, you may face enforcement action, penalties, and commercial consequences (like failing supplier onboarding or losing contracts).
- Beyond registration, small businesses should focus on practical compliance: clear privacy information, sensible internal policies, secure tools, and a plan for breaches and data requests.
If you’d like help figuring out whether your business needs to pay the ICO fee (and appear on the data protection register), or you want to tighten up your GDPR compliance with the right policies and documents, you can reach us at 08081347754 or team@sprintlaw.co.uk for a free, no-obligations chat.
