Registering with the ICO – Ensuring Compliance for SMEs

Written by Sarah-Jane Butler and Sarah Taylor from Farringford Legal, this article outlines the importance of compliance with data protection laws and why it may be necessary for SMEs to register with the Information Commissioner’s Office (ICO).

In today’s digital age, the processing of personal data has become an integral part of conducting business activities.

Whether you’re a small or medium-sized enterprise (SME), it’s essential to understand your obligations under the Data Protection legislation affecting the UK, including the UK Data Protection Act (UK DPA), UK General Data Protection Regulation (UK GDPR), and even the EU GDPR if applicable. It is important for SMEs to understand how data protection works and why and how to register with the Information Commissioner’s Office (ICO) to ensure compliance with data protection laws.

Data Protection legislation defines personal data as “information that relates to an identified or an identifiable individual.” It’s important to note that this individual must be living, and the data becomes “personal” if it relates to that person. Since May 2018, when the EU GDPR came into force, personal data has expanded to include various aspects, such as online identifiers (e.g., usernames, social media handles, and logins), IP addresses, and more. These elements are also covered under the UK GDPR.

Pseudonymized data refers to data where identifying information is removed or replaced, reducing the risk to individual privacy. However, it is still classified as personal data under data protection laws. SMEs must be aware that even when pseudonymizing data, they must adhere to data protection regulations.

As an SME, it’s likely that you process personal data in various ways:

  • Customer and Supplier Data: You may collect and process information such as names, email addresses, telephone numbers, postal addresses (including postcodes), and even banking details for invoicing purposes.
  • Voice and Image Data: If you conduct conference calls or meetings, recording voices or images of participants can also involve personal data processing.
  • Website Data: If your business has a website, you will collect visitors’ IP addresses and may deploy cookies for tracking and analytics.
  • Employee Data: If you have employees, you’ll keep copies of their identity documents to verify their “right to work” in compliance with immigration laws.

When your business engages in any of these data processing activities, you are required to register with the ICO, the UK’s data protection regulator. The Data Protection (Charges and Information) Regulations 2018 mandate that every organization or sole trader processing personal information pay a data protection fee to the ICO unless they are exempt.

To determine if you need to pay the fee, you can take a short ICO test available on the ICO’s website. For most SMEs, the annual data protection fee to the ICO is £40, which can be further reduced if you choose to pay by direct debit. Considering the potential consequences of non-compliance with data protection regulations, this fee is a small investment in safeguarding your business and reputation.

In conclusion, ensuring compliance with data protection laws is crucial for SMEs that process personal data in their day-to-day operations. By registering with the ICO and paying the applicable fee, you demonstrate your commitment to protecting individuals’ privacy and data security. This not only helps you avoid legal penalties but also builds trust with your customers and partners. Don’t underestimate the importance of data protection—take the necessary steps to stay up to date and compliant with the law.

For more information visit or call 020 8941 7324.