Do you need to register (notify) under the Data Protection Act?

January 22, 2013

Many companies are at risk of committing a criminal offence and attracting bad publicity by failing to register (notify) under the Data Protection Act. Notification to the Information Commissioner’s Office (ICO) under the Data Protection Act is a relatively straightforward step. On the other hand, failure to notify is publicly visible – because firms which have registered are on the searchable register on the Information Commissioner’s website which contains the name and address of data controllers and a description of the kind of processing they do – and could also betray a failure to comply with Data Protection requirements more generally.

The Data Protection Act requires every data controller who is processing personal information to register with the ICO, unless they are exempt. Failure to notify where required to do so is a criminal offence.

The Act largely covers personal data held on computer, but it also manual data that is held within a structured filing system.

Most organisations that handle personal information must register (notify) with the ICO. There is no need to register if you handle personal data only for core business purposes of staff administration, advertising marketing and PR and accounts and record keeping. So long as processing remains strictly within these limits, then there is no need to register. However, even if you are exempt from registration you must still comply with the other provisions of the Act, and it may be advisable to register voluntarily for public transparency and in case any of your processing should extent beyond the scope of the exemptions (so as to avoid the criminal offence of processing without notification).

Registration cannot, as yet, be effected online in the UK but the forms may be completed using the standard templates available from the ICO website and, once completed online, may be printed off, signed and sent with the appropriate fee to the ICO. The fee is £35 but for larger data controllers with an annual turnover of £25.9 million and 250 or more members of staff, the fee is £500.

The ICO does not seek to verify the contents of the notification and cannot refuse registration. However, in the event of any sort of regulatory action following for example a complaint about data protection, the ICO may check that the notification is accurate and take enforcement action if it is found to be incomplete.

Notifications are renewable annually. There is no such thing as a parent company registration, which means that each data controller within a corporate group must register. The data protection register can be searched on the ICO website at

Contact us if you need any assistance with notification.


Related pages:

Data protection privacy & emarketing more

Data Protection, Privacy and emarketing more

Technology, Media & Digital more

icons Addthis Print Contact Register


tel: +44 (0) 20 7628 2000
10 Finsbury Square, London, EC2A 1AF
View map

For more information


Nigel Miller
Direct dial: +44 (0)20 7614 2504


  • Top Ranked Chambers UK 2014 - Leading Firm
  • Ranked in Chambers Europe 2013 - Leading Individual
  • Ranked in Chambers Global 2014 - Leading Firm
  • Legal 500 - Leading Firm
  • The Lawyer UK 200 - Listed Firm
  • The Law Society Excellence Awards 2012 - Shortlisted
  • Investors in People - Bronze