Skip to main content
← Back to blog
7 min readChris Coombes

GDPR and Your Website: What Every UK Small Business Owner Needs to Know

gdprsmall-businesslegalprivacyuk

If you run a small business and have a website, GDPR applies to you. That is not a maybe — it applies whether you are a sole trader, a limited company, or anything in between. But the good news is that for most small business websites, compliance is simpler than the endless news coverage makes it sound.

This post cuts through the noise and explains what you actually need to do.

What Is GDPR and Why Does It Still Apply After Brexit?

GDPR stands for General Data Protection Regulation. It came into force across the EU in 2018. After Brexit, the UK adopted its own version — called UK GDPR — which is almost identical to the EU original. So if you thought leaving the EU meant leaving GDPR behind, unfortunately that is not the case.

UK GDPR governs how businesses collect, store, and use personal data. On your website, personal data includes things like:

  • Names and email addresses submitted through a contact form
  • IP addresses (collected automatically by most websites)
  • Cookies that track user behaviour across the internet
  • Any information someone submits when booking a service or signing up to a newsletter

If your website does any of these things — and nearly all of them do — you have data protection obligations.

Do You Need to Register with the ICO?

The Information Commissioner's Office (ICO) is the UK's data protection regulator. Most businesses that process personal data are required to pay a data protection fee and register with them. For most small organisations, this is £40 or £60 per year.

There are some limited exemptions — for example, if you only process personal data for internal staff administration — but if your website collects enquiries from the public or tracks visitors with analytics, you almost certainly need to be registered.

The ICO has a self-assessment tool on their website that lets you check whether registration applies to your business. It takes about five minutes.

What Does Your Website Actually Need?

For most small business websites, GDPR compliance comes down to four practical requirements.

1. A Privacy Policy

You must have a privacy policy on your website. This tells visitors what data you collect, why you collect it, how long you keep it, and who you share it with. It does not need to be written in dense legal language — it just needs to be clear and honest.

Key things to cover in your privacy policy:

  • What data you collect (contact form submissions, analytics data, cookies)
  • Why you collect it (to respond to enquiries, to improve the website)
  • How long you keep it (for example, "we retain contact form submissions for 12 months")
  • Who you share it with (your email provider, your analytics tool, and so on)
  • How people can request that their data be deleted

There are free privacy policy generators online, but make sure the one you use covers UK GDPR specifically, not just the EU version — there are small but important differences since Brexit.

2. A Cookie Consent Banner

If your website uses cookies — and almost all websites do — you need to ask for consent before placing non-essential cookies on a visitor's device.

Essential cookies (the ones that keep the website functioning, like session cookies) do not require consent. But analytics cookies, advertising cookies, and social media tracking cookies do.

This is where a cookie consent banner comes in. It should:

  • Appear before any non-essential cookies are set
  • Explain what types of cookies you use
  • Give visitors a genuine choice to accept or decline
  • Remember their preference so they are not asked on every visit

A banner that simply says "By using this website you agree to cookies" does not meet the legal standard. Visitors need to actively give consent — clicking "Accept" — before non-essential cookies fire. A pre-ticked box or implied consent is not enough.

3. A Secure Contact Form

When someone fills in your contact form, that information is personal data and you have a legal obligation to handle it securely. In practice, this means:

  • Your website should use HTTPS (the padlock symbol in the browser address bar). If it does not, get this sorted as a priority — data submitted through an insecure form is transmitted in plain text, which puts your visitors at risk and leaves you exposed.
  • Do not store contact form submissions indefinitely. Decide on a clear retention period and delete them once they are no longer needed.
  • If you use a third-party form tool, check their data processing terms to confirm they handle personal data appropriately.

4. A Process for Data Deletion Requests

Under UK GDPR, individuals have the right to ask you to delete their personal data. This is sometimes called the "right to be forgotten." For most small businesses, this simply means having a way for people to contact you to make a deletion request — usually an email address — and committing to respond within one calendar month.

Include this in your privacy policy so people know how to exercise their rights.

What About Google Analytics?

Google Analytics is one of the most widely used tools on small business websites, and it sits in a genuine grey area. Google Analytics collects information about how visitors use your website — pages viewed, time on site, approximate location, and more. This counts as personal data processing.

To use Google Analytics compliantly:

  • Only load the Analytics script after a visitor has accepted analytics cookies via your consent banner
  • Enable IP anonymisation in your Analytics settings (this removes the last portion of a visitor's IP address before it is stored)
  • Mention Google Analytics in your privacy policy and link to Google's privacy information

Some business owners choose to switch to a privacy-first analytics alternative instead — tools like Fathom or Plausible do not use cookies at all, which makes compliance considerably simpler and removes the need for a consent banner entirely.

What Happens If You Get It Wrong?

The ICO has the power to issue significant fines for GDPR breaches, but in practice its enforcement focus is on large organisations mishandling data at scale or on serious breaches affecting many people.

For a small business website that is making a genuine effort to comply, the more realistic risk is reputational. Customers are increasingly aware of their data rights. A website without a privacy policy, or with a cookie banner that gives no real choice, signals that the business is either careless or indifferent to how it handles personal information.

Compliance is also just good practice. Collecting only the data you actually need, keeping it secure, and being transparent about how you use it builds the kind of trust that turns website visitors into paying customers.

Getting Compliance Right from the Start

GDPR compliance is far easier to build into a website from the beginning than to retrofit after launch. A cookie consent system added later often breaks other things; a privacy policy written when you already have a list of data sources is much more accurate than one written speculatively.

At Velocity Web Studio, every website we build includes HTTPS as standard, a properly implemented cookie consent solution, and a privacy policy template tailored to your specific setup — forms, analytics tools, and all. We make sure your site collects only what it needs and handles it correctly from day one.

If you are not sure whether your current website is compliant, or if you are planning a new site and want to get data protection right from the start, get in touch — we would be happy to talk it through.

Ready to get started?

Let us build a website that works as hard as you do.

Get in touch