The Information Commissioner's Office (ICO) have been sending letters to the registered office address* of all limited companies. These letters are asking directors to check and confirm if they need to be registered with the ICO, and if so to register and pay the fee. Here is what you need to know... 

What is the Information Commissioner's Office? 

The Information Commissioner's Office is the data protection regulator in the UK. The ICO is responsible for ensuring that data protection regulations are adhered to by UK businesses and they investigate any data protection complaints or breaches. 
 
In 2018, all small businesses came under the scrutiny of the EU’s General Data Protection Regulation, and the term GDPR was on everyone’s lips. 
 
The Data Protection Act 2018 (DPA), which implements the GDPR within the UK, has at its helm an organisation with whom anyone who processes personal data needs to register with. They are called the Information Commissioner’s Office (ICO). 

What is the Data Protection Act 2018? 

With the huge leap in online activity and e-commerce over the past 20 years, it was necessary to revisit the rules that were previously in place, and the up-dated version of the Data Protection Act 1998 came into effect on the 25 May 2018. It was subsequently amended under the EU withdrawal Act on 1 January 2021. The DPA 2018 is supplemented by the GDPR laws, which apply to anyone who processes personal data. 
 
The DPA controls how personal data is used by the government and organisations or businesses. They require them to follow a set of rules called ‘data protection principles’, which ensure that the information collected and held is: 
 
Done so with fairness and transparency. 
Collected for specified and legitimate purposes. 
Relevant and limited to only what is necessary. 
Accurate and kept up to date, where required. 
Personal data is not kept for longer than it is needed. 
It is kept confidential. 
You are responsible for what you do with the data. 

What data is protected? 

To know if you need to register with the ICO, first you need to understand what personal data is and why it’s protected. 
 
Personal data is any information that directly or indirectly identifies or can be used to identify an individual. This includes the usual things like name, home address, phone, credit card, national insurance, customer or personnel number, number plate, physical appearance, and also their online identifiers, such as a computer IP address, account data, location and cookie data. 
 
It’s safe to assume that if you process or electronically store any information about an individual, this is classed as ‘personal data’ and is therefore subject to the rules enforced by the ICO. 

Do I need to register with the ICO? 

If you are a limited company or a sole trader, an SME or a national chain, and you process personal data, then you are required to register with the ICO and pay the data protection fee. 
 
The ICO provide a simple set of questions for individuals and organisations, designed to help you decide if you need to register with them and pay the fee. 
 
More information on how to pay the data protection fee can be found here
 
You must register and pay the fee if you: 
 
Sell via an online marketplace such as Amazon or Etsy. 
Sell on your own online store, for example using Wix or Shopify. 
Sell or trade a list of your customer details. 
Use CCTV on your business premises for crime prevention purposes. 
 
There are some exemptions if you only process personal data as part of: 
 
Your staff administration, records and accounts, including payroll, invoicing and payments. 
Advertising marketing and public relations in connection with your own business activity. 
Not-for-profit purposes. 
Personal, family or household affairs. 
Maintaining a public register. 
Judicial functions. 
Process personal information without an automated system, such as a computer. 

What does the letter look like? 

See here for a copy. 

Is the letter just spam? 

Unfortunately not, and it does require your attention. 
There is a deadline on each letter requesting your prompt attention - it usually gives you a month to take action. 

What do you need to do? (IMPORTANT!) 

The letter is really clear on the actions you need to take as a director - and it is important you action this ASAP. 
 
Check if you are exempt here. You can also use the self-assessment tool to check if you need to register - see the helpful link here.  
Check if you need to pay here. If you do, the fee is usually around £40 per year. 
If you do not need to register or pay a fee, YOU MUST NOTIFY THEM here
If you do need to register and pay, do so here
 
If you need further assistance, we recommend you contact the ICO directly, on 0303 123 1113 ext. 1700. Unfortunately this in one admin item we cannot help with - as it isn't Tax, VAT or Accounts! 
 
*Please note - if we provide you with our registered office service, we will contact you by email to let you know that the letter has been received. 
 
 
 
 
Written by 
 
Nicola J Sorrell 
- Effective Accounting 
 
Founder | Xero Champion | IR35 Expert 
Share this post:
Our site uses cookies. For more information, see our cookie policy. Accept cookies and close
Reject cookies Manage settings