ICO data-protection fees are easy to miss because they are relatively small compared with payroll, audit fees, software renewals or tax payments. For finance teams, though, the risk is not the size of the annual charge. The risk is misclassifying the organisation, missing a renewal, relying on an exemption that no longer applies, or overlooking the obligation after a group restructure, acquisition, new trading entity or change in data use.
The fee applies to organisations, including sole traders, that process personal data as controllers, unless an exemption applies. That can include customer records, employee records, supplier contacts, CCTV, marketing data, client databases and many day-to-day systems used by UK businesses. The UK had an estimated 5.7 million private sector businesses at the start of 2025, including 5.64 million small businesses, so this is not a niche compliance point (DBT, 2025).
Finance teams should treat ICO data-protection fees as an annual compliance item rather than an occasional admin task. The amounts are not large for most organisations, but the public nature of enforcement and the maximum penalty for non-payment mean the issue deserves proper ownership. If you want broader support with compliance planning, reporting and finance processes, our business advisory services can help you build a more reliable annual review process.
Who needs to pay ICO data-protection fees?
The starting point is whether the organisation is a data controller. In plain English, a controller decides why and how personal data is used. Most trading businesses do this in some form, even if they do not see themselves as data-heavy.
The ICO says organisations, including sole traders, that use personal information need to pay a data protection fee unless they are exempt (ICO, 2026).
A business will often need to pay if it uses personal data for purposes such as:
- Customer management: Holding client, customer or patient records.
- Trading activity: Using personal data to deliver goods, services or professional advice.
- Marketing: Sending promotional emails, running customer lists or using CRM systems.
- CCTV: Recording identifiable individuals for security or monitoring.
- Recruitment and HR beyond basic administration: Processing applicant data, employee records and payroll details.
Some organisations assume that because they outsource payroll, HR, IT or marketing, they no longer control the data. That is often wrong. An outsourced provider may process data on your behalf, but your organisation may still decide the purpose of the processing and remain responsible as the controller.
A simple example would be a property company using a managing agent. The agent may handle tenant communications, but the company may still decide what personal data is collected and why. The finance team should not assume the agent’s ICO registration covers the company’s own obligation.
How the current fee bands work
The current ICO data-protection fees are based on a three-tier system. The fee depends mainly on staff numbers and annual turnover, with special treatment for public authorities, charities and small occupational pension schemes.
The current annual fees are:
- Tier 1: £52 for micro organisations with maximum turnover of £632,000 for the financial year or no more than 10 members of staff.
- Tier 2: £78 for small and medium organisations with maximum turnover of £36 million for the financial year or no more than 250 members of staff.
- Tier 3: £3,763 for larger organisations that do not meet the Tier 1 or Tier 2 criteria.
The ICO confirms that staff numbers include employees, workers, office holders and partners, and that part-time staff each count as one member of staff for this purpose (ICO, 2026).
This matters for finance teams because the correct tier may not be obvious from headcount alone. A professional services firm with many partners, consultants or workers should check the ICO definition rather than relying on payroll headcount. Groups should also review each legal entity separately where more than one controller exists.
The fees increased by 29.8% following the government’s data protection fee regime review. The government retained the existing three-tier structure, retained the £5 direct debit discount and retained the existing exemptions.
When an exemption may apply
Not every controller must pay. The ICO lists several exemptions, including where personal data is processed only for staff administration, advertising, marketing and public relations, accounts and records, not-for-profit purposes, personal or household affairs, maintaining a public register, judicial functions, or processing personal information without an automated system (ICO, 2026).
The word “only” is important. If an organisation processes personal data for both an exempt and a non-exempt purpose, it may still need to pay.
For example, a dormant company that only holds statutory accounting records may be exempt. A trading company that holds customer details, supplier contacts, employee records, and email marketing data is unlikely to rely solely on the accounts and records exemption.
Finance teams should also be careful after operational changes. A business may start with limited data use, then add e-commerce, CCTV, a CRM system, online booking, client portals or more active marketing. Each change can affect the exemption position.
A practical annual review should cover:
- Legal entities: Check which companies, LLPs, partnerships or sole trader businesses control personal data.
- Data use: Review customer, employee, supplier, CCTV, marketing and online systems.
- Exemptions: Confirm whether the organisation only processes data for exempt purposes.
- Evidence: Keep a short note explaining the decision, especially where no fee is paid.
This does not replace specialist data protection advice. It does, however, give finance teams a clear audit trail and makes it less likely that the issue is missed between directors, operations, HR and external advisers.
What happens if a business gets it wrong?
The direct cost of ICO data-protection fees is usually modest. The cost of getting the position wrong can be much higher.
The ICO says a controller breaks the law if it processes personal data for non-exempt purposes and has not paid a fee, or has not paid the correct fee. The maximum penalty is £4,350.
The ICO also publishes a list of organisations issued with penalty notices for not paying the fee. Its public penalty notice page says organisations that fail to pay when they should could be fined up to £4,000, although the wider statutory maximum can reach £4,350 in relevant circumstances.
For a finance director, the reputational issue may matter as much as the fine. A missed payment can suggest weak compliance discipline, even if the underlying failure was administrative. For regulated firms, professional practices, charities, education providers, healthcare businesses and organisations that handle sensitive client information, that is not a good message to send.
There is also a governance point. The fee is small enough to be overlooked, but important enough to sit within an annual compliance calendar alongside Companies House filings, insurance renewals, payroll year end, tax deadlines and software renewals. Our accounts and bookkeeping support can help keep these obligations visible as part of a wider finance routine.
How finance teams should budget for ICO data-protection fees
ICO data-protection fees should be simple to budget for, but they still need ownership. A sensible approach is to assign responsibility to finance, company secretarial, compliance or operations, then document who reviews the position each year.
The practical steps are:
- Confirm the controller position: Identify each legal entity that decides how personal data is used.
- Check the fee tier: Use turnover and staff numbers, not assumptions based on company size.
- Review exemptions carefully: Do not rely on an exemption unless all processing falls within exempt purposes.
- Set the renewal reminder: The fee is annual, so diarise it before the renewal date.
- Use direct debit where appropriate: The ICO gives a £5 discount for direct debit payments.
- Update after business changes: Review the position after acquisitions, new entities, new systems, CCTV installation or new marketing activity.
The wider business context reinforces why this matters. ONS recorded 2.73 million VAT and PAYE businesses in the UK as of March 2025, up 0.4% from March 2024, with companies and public corporations representing 76.7% of total UK businesses (ONS, 2025). As business structures, systems and data use change, small compliance duties can easily fall between teams.
ICO data-protection fees are not a complex budget line, but they are a useful test of compliance discipline. If a business cannot evidence whether it should pay, which tier applies and when renewal is due, it may have wider gaps in its finance and governance processes.
We recommend reviewing ICO registration as part of an annual compliance health check, especially for growing companies, professional firms, groups, charities and owner-managed businesses with multiple entities. If you would like us to review your finance calendar, entity structure and annual compliance obligations, speak to us about our accounting and business support and we can help you assess your ICO data-protection fees position before it becomes a problem.