The Data Protection Act 2018 requires every organisation which is processing personal information as a data controller to register with the ICO, unless they are exempt.

A data controller is someone who controls the purpose of the data collection (e.g. a business collecting its customer’s personal data is the controller of that personal data. The web developers for that business might be the data processor of that personal data).

So in short, you almost certainly do, yes. However, you do not need to do so until you are operating and processing personal information.

So if you have registered a company and written a business plan, then this does not mean you need to register. Once you start to take on customer/user information though then you do.

Am I exempt?

You do not need to register if you handle personal data only for purposes of staff administration, advertising/marketing and PR, accounts and record keeping, rather than your actual commercial business operation. Provided you remain within these limits, then you do not need to register.

This means that a pre-launch business with no external operations should register when they launch and start taking on personal information, but it is not required before that.

How much is it?

Fees can vary based on the size of your organisation, but generally it will be £40 per year.

How do I do it?

You can complete the registration online via this link:

This Basic Training article was written by Legal Sidekick. Legal Sidekick is the legal platform for startups. We offer automated contracts and loads of startup legal resources and guides. For queries on GDPR or data protection compliance generally, contact us directly.



Subscribe to get access to this resource

Generic selectors
Exact matches only
Search in title
Search in content
Post Type Selectors