Who Is Exempt From Registering With the ICO? Data Protection Fees in the UK

If you run a small business in the UK, you may have come across the question of who is exempt from registering with the ICO.

It’s a fair question. The rules around data protection can feel like they were written for big tech companies - but in reality, they apply to everyday businesses too, from online retailers and trades businesses to consultants and local cafés.

In this guide, we’ll break down what “registering with the ICO” really means (spoiler: it’s usually about paying a data protection fee), when you may be exempt, and how to make sure you’re not missing a key compliance step.

What Does “Registering With The ICO” Mean For A Business?

When people say “register with the ICO”, they’re usually referring to paying the ICO data protection fee (sometimes called “data protection registration”).

The ICO (Information Commissioner’s Office) is the UK’s data protection regulator. If your business processes personal data, you generally need to:

• comply with the UK GDPR and Data Protection Act 2018 (how you collect, use, store and protect personal data), and
• pay the ICO data protection fee unless an exemption applies.

This fee requirement comes from the Data Protection (Charges and Information) Regulations 2018 (often shortened to “the Charges Regulations”).

Important: paying the fee is not the same as “being GDPR compliant”. Paying the fee is one obligation; GDPR compliance is broader (policies, processes, contracts, and good data-handling habits).

What Counts As “Personal Data” In A Small Business?

Personal data is information that identifies someone (directly or indirectly). Common examples include:

• customer names, phone numbers, email addresses, delivery addresses
• employee records (payroll details, performance notes, sickness records)
• CCTV footage where individuals can be identified
• IP addresses and device identifiers (common for websites)

If you’re unsure what “personal data” covers in practice, even something like work email identifiers can be relevant - it’s worth checking guidance like work email addresses as personal data in a business context.

Who Is Exempt From Registering With The ICO?

Let’s tackle the main question head-on: who is exempt from registering with the ICO?

In plain terms, you may be exempt from paying the ICO fee if your business only processes personal data for certain limited purposes set out in the Charges Regulations.

These exemptions are narrow. Many trading businesses handle personal data in ways that fall outside the exemptions (especially once you factor in customer management, service delivery, website operations, or CCTV).

The Main ICO Fee Exemptions (In Plain English)

You may be exempt if you only process personal data for one (or more) of the following purposes:

• Staff administration (eg paying staff, managing shifts, performance, training, sickness records)
• Advertising, marketing and public relations (this can be an exempt purpose under the Charges Regulations, but the exemption usually falls away if you also process personal data for wider business activities such as customer/client management, fulfilling orders, delivering services, operating a booking system, or running CCTV)
• Accounts and records (eg invoicing, bookkeeping, and keeping basic transaction records)
• Not-for-profit purposes (where applicable, and where processing is only for establishing/maintaining membership or providing activities for members)
• Personal, family or household affairs (this is usually for individuals, not trading businesses)
• Maintaining a public register (this is rarely relevant to SMEs)
• Judicial functions (generally not relevant to commercial businesses)

The big catch: the exemption usually only applies if those are the only reasons you process personal data. The moment you use personal data for broader business operations (like managing customers, delivering services, or operating security systems), you may no longer be exempt.

Common Reasons Small Businesses Are Not Exempt

Even very small businesses often do at least one of the following:

• keep a customer database (even a simple spreadsheet)
• send marketing emails or newsletters
• use CCTV for security
• use cookies/analytics on a website
• process “special category” data (eg health information in some service businesses)

Any of these may mean you need to pay the fee.

And if you’re using tools like cloud storage or email platforms, your compliance obligations don’t disappear just because a provider is “big” - you still need to handle personal data lawfully and securely (including checking whether your setup is appropriate). This is where questions like Google Drive GDPR compliance become relevant in practice.

Do I Need To Register With The ICO? Common Small Business Scenarios

Because the exemptions can be tricky, it often helps to look at real-life scenarios. Here are common examples we see with small UK businesses.

1) Sole Trader With No Employees And No Marketing List

If you’re a sole trader and you genuinely only keep:

• basic accounts records (invoices, payments), and
• supplier details, and
• minimal customer contact information needed to deliver your service,

you might fall within an exemption - but it depends on how you operate.

For example, if you keep a client list to follow up and offer services again, or you send promotional emails, you’ve likely moved beyond the narrow “accounts and records” type processing.

2) Limited Company With Employees

If you employ staff, you will process personal data for staff administration. That purpose itself can be exempt as a category - but most employing businesses also process customer data, run marketing activity, or have CCTV.

Also, employing staff comes with extra compliance steps around device use and monitoring. If your team uses work laptops or you monitor systems, you’ll want clear internal rules (and transparency) in place, often supported by an Acceptable Use Policy.

3) Online Shop Or Booking-Based Business

If you sell online, take bookings, or collect customer details through your website, you will usually process personal data as a core part of your operations.

Common non-exempt activities include:

• customer account creation
• delivery fulfilment records
• abandoned cart emails and promotional campaigns
• behaviour tracking via cookies/analytics

These businesses generally need to pay the ICO fee and have customer-facing documents like a Privacy Policy that actually matches how data is used.

4) Business Using CCTV (Even If It’s “Just For Security”)

CCTV can be a strong indicator that you are not exempt, because you’re processing personal data (images of identifiable people) for security purposes.

And if you record audio as well as video, the legal risk increases - it’s not just a “set and forget” approach. If your premises uses surveillance, it’s worth understanding the additional compliance pitfalls around CCTV with audio.

5) Professional Services (Accountants, Consultants, Agencies)

Professional services businesses often handle:

• client contact details
• project notes and communications
• sometimes sensitive information (financial data, HR data, health details)

This is usually not limited to “accounts and records”. As a result, paying the ICO fee is commonly required.

How To Check If You’re Exempt (And What To Do If You’re Not)

If you’re unsure whether you fall within an exemption, don’t guess. The cost of getting it wrong isn’t just financial - it can also create risk if something goes wrong and you’re investigated.

A Practical “Exemption Check” For Business Owners

Ask yourself:

• Do we hold any customer list (CRM, spreadsheet, email contacts, booking system)?
• Do we market to customers by email, SMS, post, or targeted ads?
• Do we use CCTV or doorbell cameras covering business premises?
• Do we track website visitors using analytics/cookies?
• Do we process any sensitive data (health, biometrics, DBS info, etc.)?

If you answered “yes” to any of the above, you’re more likely to need to pay the ICO fee.

If You’re Not Exempt: What Does “Registering” Involve?

For most businesses, registering means:

• working out your fee tier (based on staff numbers and turnover)
• paying the annual fee to the ICO
• keeping your details up to date and renewing as required

Many small businesses fall into the lowest tier, but it still needs to be done correctly.

And remember: paying the fee doesn’t replace GDPR compliance work. It’s one part of the picture.

What Else Should You Do Besides Paying The ICO Fee?

Even if you are exempt from paying the ICO fee, you still need to comply with UK GDPR and the Data Protection Act 2018 if you process personal data.

Think of the ICO fee as one compliance “admin step”, and GDPR compliance as your ongoing legal foundation for handling customer and staff information properly.

Key GDPR Building Blocks For Small Businesses

Depending on what you do, your compliance foundation often includes:

• A clear privacy notice explaining what you collect, why, and how people can exercise their rights (commonly done via a website Privacy Policy).
• Appropriate contracts with suppliers who process personal data on your behalf (for example, IT providers, booking platforms, marketing tools).
• Internal policies so your team knows what to do (and what not to do) with personal data, especially where devices and systems are involved.
• Security measures that match your risk level (access controls, encryption, backups, device management).
• A plan for data breaches (because even careful businesses can have incidents).

If you want something structured rather than piecing it together yourself, many businesses prefer using a documented compliance bundle like a GDPR package so the basics are covered properly and tailored to how the business actually operates.

Be Careful With Monitoring Staff Devices And Activity

Plenty of small businesses use monitoring for security or productivity - for example, checking browser history on a work computer or auditing email access after an incident.

But monitoring employees is a privacy issue, and you need to get it right (including transparency and proportionality). If this comes up in your business, it’s worth understanding the compliance risks around monitoring internet search history at work.

When It’s Worth Getting Tailored Legal Advice

For many small businesses, the tricky part isn’t paying the fee - it’s working out whether you’re exempt and whether your day-to-day processes are compliant.

It’s especially worth getting advice if you:

• handle sensitive or high-risk data (health, biometrics, children’s data)
• use CCTV in or around your premises
• run marketing campaigns or build customer lists
• share data with contractors, suppliers, or overseas service providers
• aren’t sure what documentation you should have in place

If you’re in that “we’re probably fine… but we’re not totally sure” zone, a Data Protection Consultation can help you map what you do in practice to the legal obligations that apply - and fix gaps before they become a problem.

Key Takeaways

• “Registering with the ICO” usually means paying the ICO data protection fee under the Data Protection (Charges and Information) Regulations 2018.
• Exemptions from the ICO fee are limited, and only apply where you process personal data solely for the specific exempt purposes set out in the Charges Regulations.
• Many small businesses are not exempt because they process customer data, run marketing activity, use CCTV, or track website visitors.
• Even if you are exempt from the fee, you still need to comply with UK GDPR and the Data Protection Act 2018 if you process personal data.
• Getting your privacy documents and internal processes right from day one can reduce risk, build customer trust, and prevent expensive compliance issues later.

If you’d like help working out whether you need to pay the ICO fee, or you want to tighten up your GDPR compliance with the right documents and practical processes, you can reach us at 08081347754 or team@sprintlaw.co.uk for a free, no-obligations chat.