Do UK Businesses Need A Data Protection Number? What It Is And How To Get One

If you’re running a small business, you’ve probably heard someone mention a “data protection number” and wondered if it’s something you need before you can start collecting customer details, sending marketing emails, or even paying staff.

Don’t stress - in the UK, the “data protection number” people usually mean is your ICO registration (reference) number, which you get if you register with the Information Commissioner’s Office (ICO) and pay the data protection fee (where you’re required to). It’s related to data protection compliance, but it’s not the same as “being GDPR compliant”.

In this guide, we’ll break down what a data protection number is, when your business might need one, how exemptions work, and how to get it sorted properly so you’re protected from day one.

What Is A Data Protection Number In The UK?

In the UK, a “data protection number” is the term people commonly use to describe the registration number issued by the Information Commissioner’s Office (ICO) when an organisation registers and pays the data protection fee.

This is sometimes also called:

• ICO registration number
• ICO reference number
• data protection registration number

If you have one, it typically appears in a format like ZB123456 (formats can vary). Many businesses put it in their Privacy Policy, on invoices, or in email footers - mainly because it’s a quick way to show they’re registered with the ICO.

Is A Data Protection Number The Same As GDPR Compliance?

No - and this is where many businesses get caught out.

Paying the ICO fee and having an ICO registration number doesn’t automatically make you UK GDPR compliant. It’s a separate registration/fee obligation that applies to some organisations that process personal data.

UK GDPR compliance is broader and includes things like:

• having a lawful basis for collecting and using personal data
• being transparent with people about what you do with their data
• keeping data secure
• having contracts in place when you use suppliers who process data for you
• responding correctly to subject access requests (SARs)

In other words: the data protection number is only one piece of the privacy puzzle.

When Does A Business Need A Data Protection Number?

Whether you need a data protection number depends on whether your business is required to pay the ICO data protection fee. Many UK businesses do need to pay it, but some businesses are exempt - so it’s worth checking, rather than assuming either way.

The requirement comes from the Data Protection Act 2018 and the ICO’s fee regime (often referred to as “notification”). In practice, a helpful starting question is:

Are you processing personal data as part of running your business, and do you fall within an exemption?

Even a lean operation will often process personal data by doing things like:

• keeping a customer list (names, emails, phone numbers)
• invoicing clients and storing contact details
• holding employee records (or even contractor details)
• running CCTV at premises
• marketing to leads (even if it’s just a monthly newsletter)
• using cloud tools to store customer files

If your business does any of the above, you should take the “data protection number” question seriously - but also check the ICO guidance and self-assessment, because exemptions can apply more often than people expect depending on what you do with the data.

Common Small Business Scenarios Where You Might Need One

Here are some practical examples where a business often needs to pay the ICO fee and have an ICO registration reference:

• Ecommerce store collecting customer names/addresses for deliveries
• Consultancy or agency managing client contacts and project notes
• Trades business storing customer details in a booking system
• Clinic or wellness provider holding health-related information (this is higher risk, too)
• Hospitality venue taking bookings and contact details
• Any employer holding employee payroll and HR information

Separately from the ICO fee, you’ll also want to make sure your customer-facing privacy information is in order - for example a clear Privacy Policy if you collect personal data through a website, platform, or sign-up form.

Are There Any Exemptions (And When Don’t You Need One)?

Yes - some organisations are exempt from paying the ICO data protection fee. This is where it gets a bit technical, because the exemption is not simply “I’m small” or “I’m a sole trader”.

Generally, an exemption may apply where you only process personal data for certain limited purposes, such as:

• staff administration (e.g. payroll, HR)
• accounts and records (e.g. invoicing, taxation records)
• advertising, marketing and PR for your own business (in some cases)

In practice, many businesses fall outside the exemptions as soon as they do anything beyond those limited purposes - for example, running CCTV, providing services that involve keeping customer records, processing special category data, or sharing personal data with other organisations in ways that go beyond the exempt categories. If you’re unsure, the safest approach is to use the ICO’s fee self-assessment and, if needed, get advice.

Be Careful: Exemption From The ICO Fee Doesn’t Mean Exemption From UK GDPR

Even if your business is exempt from paying the fee (and therefore doesn’t have an ICO registration number), you still need to comply with UK GDPR and the Data Protection Act 2018 when you process personal data.

That includes basics like:

• secure handling and restricted access
• not collecting more data than you need
• only keeping data as long as necessary

For example, if you’re unsure how long you should keep customer enquiries, employee records, or old mailing lists, your retention approach should be deliberate - not accidental. A sensible retention plan is a key part of privacy compliance, and it often ties into data retention decisions for your business.

How To Get A Data Protection Number (Step-By-Step)

If you’ve worked out that your business needs a data protection number, the process is usually straightforward. The number is issued when you complete your ICO registration and pay the required fee tier.

Step 1: Confirm Who The “Controller” Is

The ICO fee is typically paid by the organisation acting as the data controller (the business deciding how and why personal data is used).

Examples:

• If you run a limited company, the company is usually the controller.
• If you’re a sole trader, you (as the business) are usually the controller.

Step 2: Work Out Your Fee Tier

The ICO uses a tiered fee system. The correct tier often depends on factors like:

• your annual turnover
• number of staff
• whether you’re a public authority or charity (special rules may apply)

The ICO’s registration journey will usually guide you through this.

Step 3: Register And Pay The Fee

You apply directly with the ICO. Once registered, you’ll receive confirmation and your data protection number (ICO registration reference).

Many businesses set the payment to renew automatically each year. If you forget to renew, you can end up without a valid registration - which can create unnecessary compliance risk.

Step 4: Update Your Business Documents And Notices

Once you have your data protection number, you should consider where it needs to appear. While it isn’t always legally required to display it publicly, it’s commonly included in places like:

• your Privacy Policy
• email footers
• supplier onboarding forms
• tender documentation

If you’re working with suppliers who handle personal data for you (for example, email marketing platforms, payroll providers, cloud storage tools), you’ll often also need a Data Processing Agreement in place (or at least appropriate data protection clauses) so responsibilities are clear.

What Happens If You Don’t Register (But You Should Have)?

If your business is required to pay the ICO data protection fee and you don’t do it, you may be contacted by the ICO and required to pay:

• the outstanding fee
• a penalty (in some cases)

More broadly, not having your data protection number sorted can create commercial and legal headaches, such as:

• lost deals: many clients (especially larger organisations) ask for your ICO registration number during onboarding
• reputational risk: it can look like you’re not taking privacy compliance seriously
• greater scrutiny if something goes wrong: for example, following a data breach or customer complaint

It’s also worth remembering that data protection compliance isn’t only about registration. If your team uses work devices, business email accounts, or cloud software, privacy compliance quickly overlaps with your internal policies and day-to-day operations - for example, whether work email addresses are personal data (they often are) and how your staff should handle them.

Practical Compliance Tips For Small Businesses (Beyond The Data Protection Number)

Once your data protection number is sorted (if you need one), the next step is making sure your business is actually handling data in a compliant, low-risk way.

Here are practical actions that make a real difference for small businesses.

1. Map What Personal Data You Collect (And Why)

Make a simple list of what you collect, where it comes from, where it’s stored, and who you share it with. For example:

• website enquiries → inbox/CRM
• online orders → ecommerce platform + courier
• employees → HR folder + payroll provider

This helps you spot risk areas quickly (like data being stored in too many places, or staff using personal devices without controls).

2. Be Clear With Customers And Users

Your Privacy Policy should match what you actually do - not what you think a “standard template” says.

If you use cookies, track analytics, run remarketing, or collect leads through forms, your disclosures should reflect this. If you’re unsure what your website should say, a proper privacy compliance setup (including the right policies and wording) is often bundled into a broader GDPR package approach.

3. Put Internal Rules In Place (So Your Team Doesn’t Accidentally Create Risk)

Small businesses often handle personal data in informal ways - shared inboxes, Slack messages, spreadsheets, and forwarded email chains.

That can work operationally, but it can also create privacy issues if there aren’t clear boundaries. An Acceptable Use Policy can help you set ground rules around business devices, systems access, password management, and handling customer information.

4. Vet Your Tools (Especially Cloud Storage)

Most small businesses rely on cloud software. That’s fine - but you should still know what you’re using, where data is hosted, and what your contractual protections are.

For example, if your business stores customer or staff data in cloud drives, you should think about security configuration, access controls, and whether the service meets UK GDPR requirements. Questions like whether cloud storage is GDPR compliant come up a lot, especially when you start working with bigger clients who ask about your security practices.

5. Remember Marketing Rules (UK GDPR + PECR)

If you do email or SMS marketing, there’s often an extra layer of compliance under the Privacy and Electronic Communications Regulations (PECR).

That means consent and opt-out rules matter, and you’ll want to make sure your mailing list practices are compliant - particularly if you’re collecting leads online or running promotions.

This is one of those areas where businesses are doing the “normal marketing thing” but don’t realise the legal settings underneath. It’s worth getting advice early, because fixing a messy mailing list later is painful (and can affect your deliverability as well as your legal risk).

Key Takeaways

• A data protection number in the UK usually refers to your ICO registration number, issued when you register and pay the ICO data protection fee (if required).
• Having an ICO registration number is not the same as being GDPR compliant - it’s just one part of your wider privacy obligations under UK GDPR and the Data Protection Act 2018.
• Many small businesses process personal data (customers, staff, suppliers) and may need to pay the ICO fee - but some limited exemptions can apply depending on what personal data you process and why, so it’s worth using the ICO’s self-assessment.
• If you need a data protection number, you can usually get it by registering with the ICO, selecting the correct fee tier, and paying the annual fee.
• Even if you’re registered, you should still have the right practical compliance foundations in place, including a clear Privacy Policy, suitable supplier terms, and internal rules for staff handling data.

This article provides general information only and doesn’t constitute legal advice. If you’d like help working out whether your business needs a data protection number, or you want to tighten up your privacy compliance so you’re protected from day one, you can reach us at 08081347754 or team@sprintlaw.co.uk for a free, no-obligations chat.