Does GDPR apply to my small business?

The short answer is yes.  No matter the size of your business, if you are processing personal data the GDPR applies to you.     Any personal data you process must be in accordance with the Data Protection Act 2018 and GDPR regulations.





However, you may not need to register with the Information Commissioner’s office and pay an annual registration fee.

If you only process the minimal amount of personal data in order to

  • administer and pay your employees,
  • maintain your business accounts (Sales and invoices) and
  • send marketing information about your business activities to your customers,

you may be exempt from registration.

The Information Commissioner’s website has a handy self-assessment tool you can use, to check if you need to register.       It takes around 15 minutes to complete.

If you collect personal data and process it electronically as part of your everyday core business activities, then you need to register your business with the ICO.    For instance, if your business services include any of the following

  • Marketing, advertising and PR for others
  • Accountancy or book-keeping
  • Property management including sales and lettings
  • Recruitment and HR services
  • IT support and web-hosting

These are just a few examples, use the self assessment tool to see the full listing of processing activities.


If your business uses CCTV for crime prevention you need to register with the ICO.    Using CCTV for domestic purposes is exempt.    If your home is registered as your business premises and you are using CCTV,  you may wish to review this CCTV Checklist from the ICO.

How much is the fee?

Registration costs start at £40 for businesses with an annual turnover under £632k or 10 or less employees.     For companies with an annual turnover between £632k and £36 million or up to 250 employees the fee is £60.00.    Organisations with over 250 employees or a turnover greater than £36million pay a fee of £2,900.

The fee is paid annually and your business is included on the publicly accessible register maintained by the ICO.     It is now a civil offence under the GDPR to not pay a fee.   Previously this was a criminal offence under the Data Protection Act 1998.  Fines range from £400 to £4000 and details of the companies fined are published on the ICO’s website and social media channels.

Registration and payment can all be done online at the  ICO’s website.

The publicity generated by the new GDPR regulations coming into effect in May 2018 have helped raised awareness about data protection law and the ICO has now started to fine organisations for non-payment.   In September 2018 the ICO issued 34 notices of intent to organisations for non-payment including the NHS, government, recruitment, finance and accounting.

If you haven’t already registered and are not sure if you need to, use the self-assessment tool to check.    But do remember, that even if you don’t need to register your business, you must still treat the personal data you handle in accordance with the principles of the Data Protection Act and GDPR.