ICO Registration for Property Businesses: Do You?

TL;DR / Key takeaways

If you process personal data electronically for your business — and a sourcer holding investor lists, seller leads and KYC records almost always does — you generally must register with the ICO and pay the annual data protection fee.
The fee is set in three tiers by size and turnover under the Data Protection (Charges and Information) Regulations 2018; confirm the current amounts on the ICO website.
Registration sits alongside your UK GDPR duties — lawful basis, a Record of Processing Activities (ROPA), security and retention — not instead of them.
AML/KYC records are generally kept five years under the Money Laundering Regulations 2017, then deleted in line with GDPR's storage-limitation principle.
Not paying the fee when required is an enforceable breach with a monetary penalty of up to several thousand pounds.
ICO registration is one of several parallel obligations — it does not replace HMRC AML supervision, redress membership or Trading Standards duties.
This is general information, not financial, legal or tax advice — seek independent professional advice. L&M is currently AML supervision pending and waitlist only.

Do property businesses need to register with the ICO? In most cases, yes — if you process personal data electronically for a business purpose, registration and the data protection fee are a legal requirement. A property sourcer or agent who holds investor contact lists, seller enquiries, viewing notes and anti-money-laundering identity records is processing personal data on a substantial scale, which is exactly what the regime is built around. This guide explains when ICO registration applies, how the data protection fee tiers work, what counts as processing, the lawful basis and ROPA basics, how KYC retention interacts with UK GDPR, and where ICO registration sits among a sourcer's other obligations.

This is general information, not financial, legal or tax advice — seek independent professional advice.

Who must register with the ICO?

Definition

ICO registration is the act of notifying the Information Commissioner's Office that your organisation processes personal data, and paying the annual data protection fee set out in the Data Protection (Charges and Information) Regulations 2018. It is a standalone legal obligation that runs in parallel with the wider duties in the UK GDPR and the Data Protection Act 2018.

The starting point is simple: if you process personal data on a computer or other automated system for a business purpose, you almost certainly need to register and pay the fee. A property sourcer rarely escapes this, because the entire model runs on data about identifiable people. Consider what a typical sourcing operation holds:

Investor lists — names, contact details, budgets, strategy preferences and prior enquiries, usually in a CRM or spreadsheet.
Seller and vendor leads — owners who have asked to sell, often including sensitive context about their circumstances.
Website enquiry and waitlist submissions — every form that captures a name and email.
KYC and AML records — identity documents, proof of address and source-of-funds evidence collected for due diligence.

There is a narrow set of exemptions — for example some organisations that only process data for limited internal purposes such as staff administration or their own accounts. In practice these rarely cover a commercial sourcing business, which markets to investors and handles third-party seller data as its core activity. Do not assume you are exempt because you are small or sole-trader; the exemptions turn on what you do with the data, not your size. Confirm your specific position with the ICO before deciding either way.

The data protection fee and its three tiers

The fee is the price of registration, and it is deliberately modest. It is not a charge for advice, approval or a quality mark — it funds the ICO's work as the UK's data protection regulator. The amount you pay depends on which of three tiers you fall into, assessed mainly by staff numbers and annual turnover.

ICO data protection fee tiers — confirm current amounts on the ICO website before you pay
Tier	Who it typically covers	Rough indicator
Tier 1 — Micro	Smallest organisations, including many sole-trader and start-up sourcers	Lowest annual fee
Tier 2 — Small & medium	Established firms above the micro thresholds for staff or turnover	Mid annual fee
Tier 3 — Large	Larger organisations above the small/medium thresholds	Highest annual fee

Most independent property sourcers and small agencies will sit in Tier 1, and many qualify for a discount when paying by direct debit. Because the thresholds and amounts are set by regulation and reviewed from time to time, treat the figures published on the ICO website as the source of truth at the moment you register. Budget for it as a small recurring annual cost, renewed each year.

What counts as processing personal data

Definition

Personal data is any information relating to an identified or identifiable living person. Processing is almost anything you do with it — collecting, recording, storing, organising, viewing, sharing, amending or deleting. If a record can be linked back to a named individual, directly or indirectly, the data protection rules apply to it.

This catches far more than people expect. It is not only the formal CRM; it is the inbox of seller enquiries, the spreadsheet of investor budgets, the notes from a viewing, the WhatsApp thread with a vendor, and the folder of scanned passports gathered for AML checks. Each of those is personal data, and in some cases — identity documents and source-of-funds material — it shades into more sensitive territory that warrants tighter security.

The practical takeaway is that a sourcer cannot ring-fence "the data we care about" from everything else. The obligation attaches to the personal data wherever it lives. That is why registration is the floor, not the ceiling: paying the fee acknowledges that you process this information, but it is the day-to-day handling that the law actually cares about.

Lawful basis and the ROPA

UK GDPR does not let you process personal data simply because it is convenient. For each activity you must identify a lawful basis, and you should be able to say which one applies to what. For a property sourcer the common bases map roughly as follows:

Contract — data you need to deliver a service the investor or seller has agreed to.
Legitimate interests — proportionate business and marketing activity, supported by a documented balancing assessment that weighs your interest against the individual's rights.
Legal obligation — records you are required to hold under other laws, such as AML records under the Money Laundering Regulations 2017.
Consent — needed for certain direct electronic marketing under the Privacy and Electronic Communications Regulations (PECR), and which must be freely given and revocable.

Why the ROPA matters

A Record of Processing Activities (ROPA) is the written inventory that ties all of this together: what data you hold, why, the lawful basis, who you share it with, how long you keep it and how it is secured. Most organisations processing personal data are expected to maintain one, and it is among the first documents the ICO asks to see. For a sourcer it is also genuinely useful — it becomes the map you reach for when an investor asks what you hold about them, or when you need to know whether a five-year-old KYC file is due for deletion. Build it once, keep it current, and most other data-protection tasks become easier. Confirm the current ROPA expectations on the ICO website.

Retaining AML and KYC records under GDPR

Retention is where data protection and anti-money-laundering rules meet, and the two pull in the same direction once you understand them. Under the Money Laundering Regulations 2017, customer due diligence and transaction records are generally retained for five years after the business relationship ends or the transaction completes. After that, they should usually be deleted unless another legal obligation requires you to keep them.

UK GDPR's storage-limitation principle says you must not keep personal data for longer than you need it. Far from conflicting, the AML rule gives you a clear, defensible answer to the GDPR question: you keep KYC records for five years because the law requires it, and you delete them afterwards because GDPR requires that. The discipline is to write the retention period down in your ROPA, apply it consistently, and actually run the deletions when they fall due — holding records "just in case" indefinitely is itself a GDPR failing. Confirm current retention obligations with the ICO and HMRC, as both regimes are reviewed periodically.

Consequences of not registering

The data protection fee is small; the cost of ignoring it is not. The ICO maintains a public register of organisations that have paid, sends reminders to those it believes should be registered, and can impose a monetary penalty for non-payment running to several thousand pounds depending on the tier you should have been in. That penalty is separate from any enforcement for wider UK GDPR breaches such as a data breach or unlawful processing.

Financial penalty for failing to pay the fee, scaled by the tier you fall into.
Public visibility — being absent from the register is checkable by anyone, including the investors and partners doing diligence on you.
Separate GDPR exposure — non-registration often signals weaker data handling generally, which is exactly what attracts further scrutiny.

For a firm that wants to be trusted with investor and seller data, registration is simply a basic cost of operating credibly — cheap insurance against a penalty and a reputational dent that outlasts it.

Where ICO registration sits among a sourcer's obligations

It is tempting to treat compliance as a single box to tick. It is not. ICO registration is one of several parallel obligations, each covering a different risk, and satisfying one does nothing for the others.

The data-only operator

ICO fee paidNothing elseGaps everywhere

Paying the ICO fee and assuming the rest is covered is a common and costly error. Data protection says nothing about whether you are supervised for money laundering, whether you belong to a redress scheme, or whether your marketing is fair and accurate. A sourcer registered with the ICO but unsupervised for AML is still committing a separate, serious breach.

The mapped, compliance-led operator

ICO + AML + redressEach obligation ownedDocumented

A credible firm maps every regulator before trading: ICO for data protection, HMRC for anti-money-laundering supervision, a government-approved redress scheme for consumer complaints, and Trading Standards and consumer-protection law for fair conduct. Each is registered, documented and owned, and the firm can show where each obligation is met rather than hoping one registration covers them all.

Who's behind L&M

Built by two disciplines most sourcing firms never combine

L&M was built by two disciplines most sourcing firms never combine — a property operator who has built and run a real-estate portfolio (sourcing, refurbishing, financing and exiting), and a wealth manager who has advised serious capital (underwriting risk, structuring, protecting downside). Every opportunity is researched, modelled and stress-tested before an investor ever sees it.

That same instinct shapes how L&M approaches regulation. The firm is being built compliance-led, with data protection, due diligence and record-keeping designed in from the start rather than bolted on. L&M's HMRC AML supervision is pending, and the firm is operating a waitlist only while that registration is in progress.

Learn how compliant sourcing actually works

L&M Academy walks through data protection, AML, due diligence and the operating standards behind credible property sourcing — the same compliance-led approach L&M is being built on.

Explore L&M Academy → AML supervision pending. Waitlist only. This is general information, not financial, legal or tax advice — seek independent professional advice.

Verifiable sources cited in this guide

Where each claim comes from

Every regulatory claim above is traceable to a public, dated source. We update this article whenever any cited rule changes.

Data Protection Act 2018 and UK GDPR: the core data protection framework, lawful basis, ROPA and storage limitation.
Data Protection (Charges and Information) Regulations 2018: the data protection fee and its three tiers.
Information Commissioner's Office (ICO): registration, current fee amounts, exemptions and ROPA expectations.
Money Laundering, Terrorist Financing and Transfer of Funds (Information on the Payer) Regulations 2017: the five-year retention of AML and KYC records.
Privacy and Electronic Communications Regulations (PECR): consent for direct electronic marketing.

Last fact-check pass: 2 June 2026. Author: L&M Property Sourcing Editorial Team. This article is for information only and does not constitute legal, financial or tax advice — always seek independent professional advice before acting, and confirm current obligations with the ICO.

Frequently asked questions about ICO registration and property data

Do property sourcers need to register with the ICO?

In most cases, yes. If you process personal data on a computer or other electronic system for a business purpose — and a property sourcer holding investor lists, seller leads, enquiry forms and KYC records almost always does — you are likely required to register with the Information Commissioner's Office and pay the annual data protection fee under the Data Protection (Charges and Information) Regulations 2018. A narrow set of exemptions exists, but they rarely cover a commercial sourcing operation. Confirm your own position with the ICO before deciding you are exempt.

What is the ICO data protection fee?

The data protection fee is an annual payment most organisations that process personal data must make to the ICO. It is set in three tiers based on size and turnover — Tier 1 for micro organisations, Tier 2 for small and medium ones, and Tier 3 for large organisations. The fee is not a charge for advice or approval; it funds the ICO's regulatory work and is a legal obligation in its own right, separate from your wider UK GDPR duties. Always confirm the current tier amounts on the ICO website before you pay.

What counts as processing personal data in property sourcing?

Processing means almost anything you do with information about an identifiable living person — collecting it, storing it, viewing it, sharing it or deleting it. In property sourcing that includes investor contact lists and preferences, seller and vendor leads, website enquiry submissions, viewing and survey notes, and the identity documents and source-of-funds records gathered for anti-money-laundering due diligence. If a spreadsheet, inbox or CRM can be linked back to a named individual, that is personal data and the rules apply.

What lawful basis applies to a property sourcer's data?

UK GDPR requires you to identify a lawful basis for each processing activity. A sourcer typically relies on contract for data needed to provide an agreed service, legitimate interests for proportionate business and marketing activity backed by a balancing assessment, legal obligation for records you must keep under laws such as the Money Laundering Regulations 2017, and consent for certain direct electronic marketing under PECR. You should record which basis you rely on for each activity rather than choosing one label for everything.

What is a ROPA and does a sourcer need one?

A Record of Processing Activities (ROPA) is a written inventory of what personal data you hold, why you hold it, who you share it with, how long you keep it and how it is secured. Most organisations processing personal data are expected to maintain one, and it is one of the first things the ICO looks for. For a sourcer it doubles as a practical map of investor data, seller leads and AML records, making retention and subject-access requests far easier to handle. Check the current ROPA expectations on the ICO website.

How long should I keep AML and KYC records?

Under the Money Laundering Regulations 2017, customer due diligence and transaction records are generally kept for five years after the relationship ends or the transaction completes, after which they should usually be deleted unless another law requires otherwise. UK GDPR's storage-limitation principle says you must not keep personal data longer than necessary, so the AML five-year rule and the GDPR delete-when-done rule work together. Document your retention periods and review them, and confirm current obligations with the ICO and HMRC.

What happens if I do not register with the ICO?

Failing to pay the data protection fee when you are required to is a breach the ICO can enforce. The ICO maintains a public register of fee payers, issues reminders, and can impose a monetary penalty for non-payment of up to several thousand pounds depending on the tier, on top of any separate enforcement for wider UK GDPR breaches. Registration is inexpensive relative to the penalty and the reputational cost, so it is treated as a basic cost of operating rather than an optional extra.

Where does ICO registration sit among a sourcer's other registrations?

ICO registration is one of several parallel obligations, not a substitute for any of them. A compliant sourcer typically also needs HMRC anti-money-laundering supervision, membership of a government-approved redress scheme, and to meet Trading Standards and consumer-protection duties. Each regulator covers a different risk — data protection, financial crime, consumer redress, fair trading — and registering with one does not satisfy another. Map all of them before you trade and confirm each requirement with the relevant regulator.

L&M

About the L&M Property Sourcing Editorial Team

L&M Property Sourcing is a UK Limited company based in London, building a compliance-led property sourcing service for investors and sellers. We publish plain-English guides to the regulation that governs property sourcing — data protection, AML, due diligence and conduct standards — reviewed against legislation.gov.uk, the ICO and HMRC sources. L&M's AML supervision is pending and the firm is currently waitlist only.

Want to understand compliant sourcing end to end?

L&M Academy covers data protection, AML supervision, due diligence and the operating standards behind credible, compliance-led property sourcing.

Explore L&M Academy → AML supervision pending. Waitlist only. This is general information, not financial, legal or tax advice — seek independent professional advice.