Does my startup need to register with the ICO?

By SuLe · Updated 20 June 2026

Almost certainly yes: nearly every company that processes personal data electronically must pay the ICO's annual data protection fee, and the exemptions rarely cover a digital startup. "Registering with the ICO" is really just paying that fee and giving your details — there is no approval to earn, but skipping it can bring a penalty.

Get expert legal advice before you sign.

Book a free 20-minute call

Key facts

  • Almost every company processing personal data electronically must pay the ICO data protection fee.
  • There are three tiers based on size and turnover; the smallest has historically been £40 a year.
  • Fees are due to change — always check the current figure using the ICO's fee self-assessment.
  • The exemptions (such as pure staff administration) rarely fit a startup running analytics or a customer database.
  • Non-payment can attract a monetary penalty, and the register is public, so gaps show up in due diligence.

Do I actually have to register?

If your startup processes personal data on a computer — which effectively means any startup with users, a mailing list or analytics — the answer is almost always yes. The obligation is to pay the ICO's data protection fee.

The ICO is the Information Commissioner's Office, the UK's data protection regulator. Paying the fee is a legal duty for most data controllers, not a badge you opt into.

There is no vetting involved. You self-assess that you must pay, tell the ICO who you are, and pay the tier that fits — so "registration" is closer to a mandatory subscription than an application.


How much is the fee and which tier applies?

The fee comes in three tiers set by your size and turnover, so a two-person startup and a scale-up pay different amounts. The smallest tier — where most early-stage startups sit — has historically been £40 a year.

Because the amounts are volatile and under review, treat any figure with caution. Use the ICO's fee self-assessment tool to confirm the current cost before you pay, rather than trusting a number from an old blog post.

Paying by direct debit has at times carried a small discount, and the fee renews annually. Budget for it the same way you budget for your confirmation statement — small, recurring, and embarrassing to miss.

TierBroadly who it coversFee
Tier 1 (micro)Small organisations, low turnover — most early startupsHistorically £40/year — verify current amount
Tier 2 (SME)Medium organisationsCheck the ICO fee self-assessment
Tier 3 (large)Larger organisations, higher turnoverCheck the ICO fee self-assessment

What counts as an exemption?

Exemptions exist, but they are narrow and rarely help a digital business. The classic examples are processing solely for staff administration, only for accounts and records, or purely for a not-for-profit's own core purposes.

The moment you run web analytics, send marketing, hold a customer database, or profile users, you fall outside those carve-outs. A modern startup almost never processes data narrowly enough to qualify.

The safe default is to assume you must pay and use the ICO's self-assessment to prove otherwise. Relying on a half-remembered exemption is how founders end up with an avoidable penalty.


What happens if I don't pay?

The ICO can issue a monetary penalty for non-payment, and it does pursue organisations that should be on the register but are not. This is separate from the much larger fines for actual data breaches — it is a fine for simply not paying.

There is a reputational cost too. The register is public, so any investor's lawyer or enterprise procurement team can confirm your status in seconds during due diligence.

An unpaid fee reads as sloppiness on exactly the kind of basic compliance a buyer expects you to have handled. It is a cheap problem to avoid and a needlessly awkward one to explain.


Worked example

Nadia founds Coursefox, an edtech startup, and launches a waitlist that collects 900 email addresses, plus analytics on the marketing site. She assumes the ICO fee is only for big data companies.

It is not. Coursefox is a data controller processing personal data electronically, so the fee applies. As a small, low-turnover company it falls into the smallest tier, historically £40 a year — Nadia checks the ICO's self-assessment to confirm the current figure before paying.

She pays by direct debit and diarises the annual renewal alongside the confirmation statement. Six months later, an angel's lawyer checks the public register during due diligence and finds Coursefox correctly registered — a small box quietly ticked.


Where founders go wrong

  • Assuming the fee is only for "data companies".

    Any electronic customer list or analytics setup makes you a fee-payer.
  • Relying on an old fee figure.

    The amounts are under review, so always confirm via the ICO's self-assessment before paying.
  • Claiming an exemption that doesn't fit.

    The carve-outs are narrow and almost never cover a startup that markets or profiles.
  • Forgetting the annual renewal.

    The fee recurs — a lapse puts you back in breach and back on the ICO's radar.

Related questions

Is the ICO fee the same as registration?

In practice, yes. What people call "registering with the ICO" is paying the annual data protection fee and giving the ICO your organisation's details. There is no separate certificate or approval to win — you self-assess whether you must pay, then pay the tier that matches your size and turnover.

How much is the ICO data protection fee?

There are three tiers based on size and turnover, and the smallest tier has historically been £40 a year. Fees are due to change, so use the ICO's fee self-assessment for the current figure rather than relying on a number you read months ago. Paying by direct debit has sometimes attracted a small discount.

What happens if I don't pay the ICO fee?

The ICO can issue a monetary penalty for non-payment, and it actively chases businesses that should be registered but are not. Beyond the fine, an unpaid fee is an easy red flag for investors and enterprise customers running due diligence, because the register is public and quick to check.

Are any startups exempt from the ICO fee?

A few narrow exemptions exist — for example processing only for staff administration, or purely for a company's own not-for-profit purposes — but they rarely fit a startup that runs analytics, marketing or a customer database electronically. Assume you must pay unless the ICO's self-assessment clearly says otherwise.


The ICO fee is the easy part; the harder question is whether everything sitting behind your registration — lawful bases, processor contracts, breach procedures — actually stacks up. A SuLe solicitor can check that your registration matches how your startup really handles data. Book a free compliance check call and get the whole picture, not just the fee.

Keep reading: What does UK GDPR require from an early-stage startup? · Do I need terms and conditions and a privacy policy for my startup? · Do I need a data protection officer (DPO)? · What happens if my startup has a data breach? · What is a data processing agreement (DPA) and when do I need one? · Do I need a cookie banner on my website?

Primary sources: ICO — Data protection fee · GOV.UK — Data protection

AI-generated content. General information, not legal advice.