Do We Need an ICO Number? A Plain-English Guide for CICs, Charities and Community Organisations

If you run a CIC, charity, social enterprise or grassroots community organisation, you may have been asked for your “ICO number” by a funder, partner, local authority, commissioner, insurer or due diligence team.

This can be confusing, especially for newer organisations. Some people think only large organisations need to register with the ICO. Others assume charities are automatically exempt. The truth is more practical: it depends on what personal information your organisation collects, stores and uses.

This blog explains what an ICO number is, when you may need one, when you may be exempt, and what to do next.

What is the ICO?

The ICO is the Information Commissioner’s Office. It is the UK regulator responsible for data protection and information rights.

Most organisations that use personal information need to pay a data protection fee to the ICO, unless they are exempt. This includes businesses, charities, CICs, sole traders and other organisations.

When an organisation registers and pays the data protection fee, it appears on the ICO’s public register and receives a registration reference. This is what people often mean when they ask for your “ICO number”.

What counts as personal information?

Personal information means any information that can identify a living person.

For charities, CICs and community organisations, this could include:

Names
Email addresses
Phone numbers
Home addresses
Dates of birth
Case notes
Referral forms
Equalities monitoring information
Health information
Safeguarding information
Donation records
Volunteer details
Staff and freelancer records
Photos or videos of people
Attendance lists
Survey responses
Application forms

It does not only mean highly sensitive information. A spreadsheet of names and email addresses can be personal information.

The key question: are you deciding how and why personal information is used?

The ICO fee usually applies where your organisation is a data controller. In simple terms, this means your organisation decides why personal information is collected and how it will be used.

For example, your organisation is likely to be deciding how and why personal information is used if it:

Runs a mailing list
Collects service user registration forms
Keeps records of beneficiaries
Manages volunteers
Employs staff or works with freelancers
Collects monitoring and evaluation data
Receives referrals
Makes grant decisions
Runs events and stores attendee details
Keeps safeguarding records
Uses CCTV for crime prevention
Stores donor or supporter information

The ICO says organisations that use personal information need to pay the data protection fee unless they are exempt.

So do charities and CICs need an ICO number?

Often, yes.

Many CICs, charities and social enterprises collect and use personal information as part of their normal work. If you support people, run programmes, employ staff, manage volunteers, apply for funding, send newsletters or collect monitoring information, you are probably processing personal data.

That does not automatically mean every organisation must pay the ICO fee, because exemptions exist. But it does mean you should check properly rather than assuming you are too small, too new or too community-based to need one.

The ICO provides a registration self-assessment tool to help organisations check whether they need to pay the fee and, if so, how much.

Are charities exempt?

Some organisations can be exempt from paying the fee. The ICO has an exemption category for some processing carried out for not-for-profit purposes.

However, this does not mean that every charity, CIC or not-for-profit organisation is automatically exempt. It depends on what personal information you process and why.

A small charity that only keeps limited member or supporter information may get a different result from a CIC delivering public services, collecting health information, managing referrals, running safeguarding processes, or reporting outcomes to funders.

The safest answer is: do the ICO self-assessment and keep a record of the result.

Important: exemption from the fee is not exemption from data protection law

Even if your organisation does not need to pay the ICO fee, you still need to handle personal information properly.

That means you should still think about:

What personal information you collect
Why you collect it
Whether you really need it
How long you keep it
Who can access it
Whether you share it with funders, councils, partners or delivery organisations
How you keep it secure
How people can ask to see, correct or delete their information
What you would do if information was lost or sent to the wrong person

Being exempt from paying the fee does not mean being exempt from UK GDPR or the Data Protection Act. Legal guidance for charities also makes this distinction clear: charities may be exempt from paying the fee in some cases, but that does not remove their wider data protection responsibilities.

How much does it cost?

The ICO’s current published fee tiers are (as of July 2026):

Tier 1: £52
Tier 2: £78
Tier 3: £3,763

The amount depends on the size, turnover and type of organisation. The ICO says most companies only need to pay £52 or £78 per year, while large organisations pay £3,763.

For many small charities, CICs and community organisations, if a fee is due, it is likely to be at the lower end. But you should use the ICO’s self-assessment rather than guessing.

What happens if we need to pay and do not?

If your organisation needs to pay the ICO fee and does not pay it, the ICO says you could be fined.

There is also a practical risk. Funders, commissioners, councils, banks, insurers and partners may ask for your ICO registration as part of due diligence. Not having an ICO number can slow down applications, contracts, grant payments or partnership agreements.

For service delivery organisations, having an ICO registration can also help show that you take data protection seriously.

When might a funder or partner ask for your ICO number?

You may be asked for an ICO number when you are:

Applying for a grant
Signing a service delivery contract
Working with a local authority
Receiving referrals
Handling personal or sensitive information
Delivering health, youth, employment, financial inclusion or wellbeing support
Collecting monitoring and evaluation data
Sharing data with a partner organisation
Completing safeguarding or due diligence checks
Buying insurance
Opening certain systems or platforms

If someone asks for your ICO number and you do not have one, do not panic. Check whether you need to register. If the ICO self-assessment says you are exempt, save a copy or screenshot of the outcome so you can explain your position.

A simple decision guide

You should probably check the ICO self-assessment if your organisation does any of the following:

Collects names, emails or phone numbers
Keeps service user records
Stores beneficiary information
Runs programmes or events
Employs staff
Uses freelancers or volunteers
Collects equalities, health or safeguarding information
Sends newsletters
Collects survey responses
Manages referrals
Takes donations
Uses CCTV
Reports individual-level outcomes to funders

You may be exempt if your use of personal information is very limited and falls within an ICO exemption category. But you should not assume this. Use the ICO’s self-assessment and keep a record of the answer.

What should we do now?

First, list the personal information your organisation collects. Include service users, staff, volunteers, trustees, directors, donors, newsletter subscribers, event attendees and applicants.

Second, ask: who decides why this information is collected and how it is used? If the answer is “our organisation”, you may be acting as a data controller.

Third, complete the ICO registration self-assessment. The ICO says the self-assessment helps organisations decide whether they need to pay the fee and how much they need to pay.

Fourth, if the self-assessment says you need to pay, register and keep your ICO number somewhere accessible. If it says you are exempt, save the result for your records.

Finally, remember that registration is only one part of data protection. You should also have basic data protection documents in place, such as a privacy notice, a simple data protection policy, a data retention approach, and a clear process for dealing with data breaches or access requests.

Final message for CICs, charities and community organisations

If your organisation works with people, you probably collect personal information. That means you should take the ICO question seriously.

You may need to register and pay the data protection fee. You may be exempt. But the answer should come from checking your actual activities, not from guessing based on your legal structure, size or income.

For most small organisations, the main action is simple: use the ICO self-assessment, keep a record of the outcome, and make sure your organisation handles people’s information with care.

An ICO number is not just admin. It is part of showing funders, partners and service users that your organisation can be trusted with personal information.

Next
Next

Struggling to Open a Bank Account as a CIC, Charity or Community Organisation?