GDPR for Small Businesses: What Your Website Actually Needs

We review a lot of small business websites. The two most common GDPR situations we see are: a cookie banner that says "by using this site you agree to cookies" with no way to say no - and no cookie banner at all. Both are wrong. And both are fixable in an afternoon.

Most small business owners we speak to either think GDPR doesn't apply to them because they're too small, or they've gone the other way and spent hours worrying about it unnecessarily. The reality is somewhere in the middle - and a lot simpler than most people think.

By the end of this post you'll know exactly what your website needs to comply with UK GDPR, what's a legal requirement versus good practice, and what most small business websites are quietly getting wrong right now.

Does GDPR actually apply to my small business?

Yes - without exception. If your website has a contact form, Google Analytics, a mailing list, or even just tracks how many visitors you get, you are collecting personal data. That puts you under UK GDPR, the post-Brexit version of the regulation enforced by the ICO (Information Commissioner's Office).

There's no minimum size threshold. A sole trader with a simple five-page website and a contact form is subject to the same core rules as a company with 200 employees. The scale of what's required might differ, but the obligation doesn't go away.

The good news: for most small businesses, what's actually required is manageable. It's not about drowning in legal paperwork. It's about being transparent with the people who visit your website.

What your website actually needs to comply with GDPR

A privacy policy

Every website that collects personal data needs one. That means virtually every business website.

Your privacy policy needs to cover: who you are and how to contact you, what data you collect and why, how long you keep it, whether you share it with anyone else, and what rights visitors have over their own data (including the right to ask you to delete it).

It doesn't need to be written by a solicitor - but it does need to be accurate, up to date, and easy to find. A link in your footer on every page is the standard approach. Hiding it three clicks deep doesn't count.

The ICO has a free privacy notice generator on their website that's a decent starting point for small businesses.

Cookie consent

This is where most small business websites fall down - and it's also the area the ICO is actively reviewing right now.

Not all cookies require consent. Essential cookies - the ones that keep your website functioning, like remembering what's in a shopping cart or keeping someone logged in - can be used without asking. Non-essential cookies - Google Analytics, Meta Pixel, live chat tools, advertising trackers - require explicit consent before they're loaded.

The most common thing we see is a banner that says something like "This site uses cookies. By continuing to browse you agree." That's not valid consent under UK GDPR. There's no real choice being offered - just a statement. A compliant banner needs a genuine way to say no, not just a button that says yes.

Tools like CookieYes, Cookiebot, or similar free and low-cost plugins can handle this properly for most small business websites.

Your contact form

Contact forms are where most small business websites quietly fall short. We regularly see forms with no link to a privacy policy anywhere near the submit button - which is a basic requirement. If someone is handing over their name and email address, they need to know what you're going to do with it before they hit send.

A simple line beneath the form - something like "We'll only use your details to respond to your enquiry. Read our privacy policy." with a link - covers this. It doesn't need to be complicated.

You also shouldn't be collecting more information than you actually need. If you only need a name, email, and message, don't add ten extra fields. Data minimisation is a core GDPR principle.

One thing that surprises people: if you have a mailing list, a pre-ticked checkbox that says "sign me up for updates" is not valid consent under GDPR. The person has to actively opt in - which means an unticked box they choose to tick. It sounds like a small detail but it's one of the things the ICO specifically looks for.

What the ICO actually does about small businesses

The ICO's approach with small businesses tends to be guidance-first. If you're making a genuine effort to comply and you haven't done anything egregious, a fine is unlikely to be your first interaction with them.

That said, the ICO launched an active review of the UK's top 1,000 websites for cookie compliance in late 2025 - and have signalled that enforcement is a priority. While your small business site probably isn't in their top 1,000, the direction of travel is clear.

More practically: GDPR compliance is about trust. A clear privacy policy and a working cookie banner tell your visitors that you take their data seriously. For a small business where trust is everything, that's worth doing regardless of enforcement risk.

Legal requirement vs good practice

Legally required for most small business websites:

• A privacy policy that's accurate and findable
• Cookie consent for non-essential cookies (analytics, marketing, live chat)
• A privacy policy link near any contact or sign-up form
• Unticked opt-in boxes for mailing lists
• Reporting data breaches to the ICO within 72 hours if they pose a risk to individuals

Good practice but not strictly required:

• A separate cookie policy page (can be covered in your privacy policy)
• A formal Data Protection Officer (only required for certain types of high-risk processing)
• Detailed records of all data processing activities (required if over 250 employees, recommended for everyone)

The one thing most small business websites get wrong

Cookie banners that don't actually work.

We see this constantly - a banner that looks compliant on the surface but either has no real opt-out, loads all cookies before the visitor has made a choice, or pre-selects every option as accepted. These don't meet the standard.

Valid cookie consent under UK GDPR means: the visitor is informed before any non-essential cookies are loaded, they can accept or reject non-essential cookies clearly and easily, and their choice is remembered so they're not asked every single visit.

If you're using Google Analytics and you don't have a working cookie consent mechanism, you're collecting data without a valid legal basis. That's the situation a significant number of small business websites are in right now - not through bad intent, but because no one told them.

The fix isn't expensive or complicated. A properly configured consent plugin, a basic privacy policy, and a small tweak to your contact form will cover the vast majority of what most small businesses need.

You don't need a solicitor - you need the basics done right

You don't need a solicitor to get your website GDPR-compliant. You need a clear privacy policy, a cookie banner that actually works, and a contact form that tells people what happens to their data. Most small businesses can sort all three in a day if they know what they're looking for.

When we build a new website for a client, GDPR compliance is built in from the start - not bolted on at the end as an afterthought. It's one of those things that's much easier to do right the first time than to go back and fix later.

If you're not sure where your website currently stands, we're happy to take a look. Our first consultation is free, and we'll give you a straight answer - no jargon, no scare tactics.