ICO Fees: Are You Exempt Or Not?

February 1, 2023

Table of Contents

What is the Information Commissioner's Office?

The ICO is the UK’s independent authority responsible for upholding the information rights in public interests and data privacy of individuals. To elaborate, the major aim of the ICO is to ensure that the rights of individuals over their own data is duly respected and protected. It further ensures that any business involved in the processing of the data should respect the rights of the individuals.

As an independent regulator, it oversees the different aspects of data protection like providing a forum to register complaints about any privacy concerns, facilitating registration of controllers, providing guidance on data protection and use of technology as well as taking action against those who violate the rights of data subjects or individuals.

What is the requirement of registration?

The requirement of registration is mandatory as per regulation for every data controller who processes personal information. The ambit of the requirement is vast enough to cover most of the organisations in the UK as they assume the role of a controller in one form or the other at some point in business.

Unless exempt, every organisation has to pay a fee to the ICO to register and once registered the controller are required to renew their registration on annual basis. The failure to renew can attract a fine of up to £4,350.

Who is exempt from registering with the ICO?

The scope of the exemption from registration is limited in nature. There are a variety of processing activities for which you need not pay the data protection fees and register -

  1. When processing is done for staff administration purposes.
  2. The processing is carried out for not-for-profit purposes.
  3. The processing activity is related to personal, family or household affairs.
  4. Processing is done to maintain a public register or to perform a judicial function.
  5. Where the processing is not done using an automated system like a computer.

There are a variety of processing operations apart from these examples and so long as the processing remains with the limits prescribed by the regulation then there is no need to register. To confirm the exemption, use the ICO’s self-assessment tool.

If you have received a letter from ICO what to do next?

If you have not paid the fees and have received a letter from the ICO you need to begin with identifying the tier in which your business fits in the three-tier scale explained hereunder -

  1. £40 fee – micro-organisations, with a maximum turnover of £632,000 and no more than 10 members of staff
  2. £60 fee – SMEs, with a maximum turnover of £26 million and no more than 250 members of staff
  3. £2,900 fee – large organisations, with turnover in excess of £36 million and/or more than 250 members of staff

The regulation lays down exceptions for charitable institutions and small occupational pension schemes which are only liable to pay Tier-1 fees irrespective of their size or turnover.

Once you have determined your tier and the respective fees then you can simply pay the fees here. You can avail of a £5 discount if you set up a direct debit.

How to pay the ICO fees?

The payment is done online on the ICO’s website. The first time users can swiftly complete the payment by keeping the following handy to fill the form:-

  1. The registration number of the company
  2. The information about the number of employees in your company
  3. Bank or card details
  4. Contact details of the relevant authority in the company.

Once the payment is completed the ICO lists the details of the company in the data protection public register.


This article does not constitute legal advice in any form and only seeks to break down some of the main points set out by publicly available sources such as the ICO.

Get Compliant in <1 Hour

Are you Fully GDPR Compliant?

Ensure your policies are always up to date with Privasee, an AI powered GDPR compliance solution that does it all.