Written by Cassine Bering | February 27, 2026
Many small businesses and sole traders are unaware that they may have a legal obligation to pay the ICO data protection fee. But if you process any personal data as part of your business – even something as simple as maintaining email contacts – you will likely fall within scope.
Under UK GDPR and the Data Protection Act 2018, most organisations acting as data controllers must pay an annual fee unless an exemption applies.
Why most small businesses are required to pay
Personal data is broadly defined to include names, addresses, email addresses and any other identifying information used in a professional context. Common activities such as communicating with clients, employees of a supplier or individual professionals, keeping a mailing list, or storing contacts on a laptop or phone constitute “processing”.
If you decide why and how such personal data is used, you are a data controller and therefore likely required to pay the annual ICO fee.
Whether you are a plumber, graphic designer, musician or manufacture – this is highly likely to include you.
Exemptions exist, but they are narrow
The ICO confirms that you do not need to pay a fee if your processing is solely for one or more of the following purposes:
The activities of a business are rarely just confined to the above. They typically extend beyond the above categories, meaning an exemption cannot apply.
Checking whether the fee applies
The ICO provides an online self‑assessment tool to confirm whether you must pay:
https://ico.org.uk/for-organisations/data-protection-fee/data-protection-fee-self-assessment/
This is the ICO’s recommended method of determining whether the fee is mandatory.
How Much Does It Cost?
At the time of writing, the ICO fee is structured into three tiers based on turnover and staff numbers. Current fees range as follows:
A £5 discount applies if you pay by Direct Debit (Tier 1 and Tier 2).
Small operators therefore typically pay £35–£60 – far lower than the potential cost of non‑compliance.
Fines for non‑payment
Failure to pay the data protection fee is a breach of the Data Protection (Charges and Information) Regulations 2018.
The ICO has the power to issue fixed penalties specifically for non‑payment.
At the time of writing, the ICO’s official fixed penalty amounts are:
The ICO also reserves the right to increase penalties up to a statutory maximum of £4,350 in cases involving aggravating factors such as non‑cooperation.
Even aside from fixed penalties, operating as a controller without paying the required fee is unlawful.
Why It’s Worth Getting This Right
There is little knowledge on this area, and many businesses and sole traders whom should be paying the fees simply aren’t because they are unaware of them.
Unfortunately, that does not absolve the risk of fines. For most sole traders and micro‑businesses, the annual fee is minimal – often around £40 – £60, while the risk of a larger penalty is significant. Paying the fee also ensures you appear on the public ICO register, demonstrating accountability and good data‑protection governance.
Key Takeaway
If you run a business or operate as a sole trader and process personal data electronically, you are likely required to pay the ICO data protection fee. The cost is small, the exemptions are narrow, and the penalties for getting it wrong are substantial.
A few minutes with the ICO’s self‑assessment tool can ensure you stay compliant and avoid an unnecessary fine.
We’ll start with a no obligation chat where we’ll get to know you and understand your current challenges.
Contact us now
