Do I need to register with the ICO?

Business Setup
June 15, 20264 min read

Email marketing

Do I need to register with the ICO?

If you're starting a business, launching a website or collecting email addresses, you've probably come across references to the Information Commissioner's Office (ICO) and wondered:

"Do I need to register with the ICO?"

The answer is: maybe.

Many small businesses do need to pay a data protection fee to the ICO, but there are also exemptions. The only way to know for sure is to check your individual circumstances.

This article is designed to help small business owners understand the basics. For official guidance, always refer to the ICO (Information Commissioner's Office) website.

1. What Is the ICO?

The Information Commissioner's Office (ICO) is the UK's independent authority responsible for upholding information rights and enforcing data protection legislation, including:

  • UK GDPR

  • The Data Protection Act (DPA) 2018

  • Privacy and Electronic Communications Regulations (PECR)

  • The Data (Use and Access) Act (DUAA) 2025

If your organisation processes personal information, the ICO is the regulator responsible for overseeing how that information is used and protected.

What Does "Registering with the ICO" Mean?

In most cases, registering with the ICO means paying a data protection fee and providing some basic information about your organisation.

For many small businesses, the fee is relatively low, but failing to pay when required can result in penalties.

It's important to understand that:

Registering with the ICO alone does not make you GDPR compliant.

Registration is separate from your wider responsibilities around data protection, such as:

  • Having a Privacy Policy

  • Collecting information lawfully

  • Keeping information secure

  • Respecting people's rights

  • Following email marketing rules

Do Sole Traders Need to Register?

Sometimes.

Many sole traders assume they are automatically exempt, but this isn't always the case.

Whether you need to register depends on:

  • The type of information you process

  • Why you process it

  • How you use it

  • The systems and software you use

For example, collecting customer information, maintaining a mailing list, using a CRM system or storing client records may affect whether registration is required.

What About Small Businesses?

The size of your business isn't the deciding factor.

Even very small businesses may need to pay the data protection fee, while some larger organisations may qualify for exemptions in specific circumstances.

This is why it's important to check your obligations.

The Easiest Way to Check

The ICO provides a simple self-assessment tool that can help determine whether you need to pay the data protection fee.

If you're unsure, this should always be your first step.

The assessment only takes a few minutes and is based on your specific situation.

➡️ https://ico.org.uk/for-organisations/data-protection-fee/data-protection-fee-self-assessment/

2. ICO Registration Is Only One Part of Data Protection

Many business owners focus on ICO registration because it feels like a clear task they can tick off a list.

However, data protection involves much more than paying a fee.

You should also make sure you have:

A Privacy Policy

This explains what information you collect, why you collect it and how you use it.

➡️ The ICO has a Privacy Policy generator (this is suitable for general business, including retail and manufacture)

Secure Systems

Whether you're using an email marketing platform, CRM, online booking system or payment processor, personal information should be stored securely.

Appropriate Consent

If you're collecting email addresses for marketing purposes, people should understand what they're signing up for and be able to unsubscribe easily.

Clear Processes

You should know how you would respond if someone asked:

  • What information you hold about them

  • To update their information

  • To delete their information

  • To stop receiving marketing emails


3. Review Things Regularly

Data protection isn't a one-time task.

As your business grows, you may introduce:

  • New software

  • New forms

  • Online bookings

  • Courses or memberships

  • Email marketing

  • Customer relationship management systems

All of these can affect how you collect, store and use personal information.

It's worth reviewing your data protection processes and Privacy Policy regularly, ideally at least once a year, to make sure they still reflect how your business operates.


4. Getting Started

  1. If you're not sure whether you need to register with the ICO (TIP: Use the ICO self-assessment tool).

  2. Make sure your email marketing practices are compliant and set up / review your Privacy Policy (TIP: Use the ICO Privacy Policy generator)

  3. Schedule a regular review of your policies and processes.

Taking a little time to understand your responsibilities now can save a lot of confusion later.

Disclaimer: This article is intended as general information only and should not be considered legal advice. Data protection requirements vary depending on your organisation and how you collect and use personal information. Always refer to the latest guidance from the ICO and seek professional advice if you are unsure about your obligations.

Donato dots

email marketingICOData ProtectionGDPR
Rachel Boleyn

Rachel Boleyn

Founder of Donato, helping creatives and small business owners build and grow their online presence without overwhelm.

LinkedIn logo icon
Instagram logo icon
Back to Blog