If you run a UK small business and you have a website — or you are thinking about building one — you have almost certainly heard of GDPR. The letters alone sound intimidating. Headlines about multi-million-pound fines do not help. The sheer volume of conflicting advice online can make it feel like a minefield. Here is the truth: for most UK SME websites, GDPR compliance comes down to a handful of practical steps that are straightforward to understand and fairly simple to put in place. You do not need a law degree. You do not need to hire a consultant. And you certainly do not need to panic. This guide walks through what UK GDPR actually requires, in plain English, with no legal jargon.
What UK GDPR is · Does it apply to your site? · Six lawful bases · Privacy policy essentials · Cookie consent under PECR · Contact forms and e-mail signup · Analytics the GDPR-friendly way · Common mistakes to avoid · ICO registration and enforcement · Breach response and 72-hour rule · How Sitejet Builder helps · UK GDPR website checklist · FAQ
Important: this guide is general information, not legal advice. If your situation is complex, consult a solicitor. For the vast majority of UK SMEs, however, the information below gives a clear picture of what is required.
GDPR stands for General Data Protection Regulation. Originally an EU regulation, it came into effect in May 2018 and reshaped how every organisation in Europe handles personal data. When the UK left the EU, the government incorporated GDPR into domestic law through the Data Protection Act 2018 and the UK GDPR. In practical terms, the rules are near-identical to the EU version.
The core idea is simple: people have a right to know what personal data is being collected about them, why, and what happens to it. Organisations that collect personal data — which includes almost every UK business with a website — must handle that data responsibly, transparently and securely.
The regulator in the UK is the Information Commissioner's Office (ICO). The ICO publishes guidance, investigates complaints and, where necessary, issues fines. It also runs a helpful small-business hub with free resources specifically aimed at owners who are not data-protection experts.
Personal data means any information that can identify a living person — directly or indirectly. That includes names, e-mail addresses, phone numbers, IP addresses and even cookie identifiers. If your website collects any of these, UK GDPR applies.
Almost certainly, yes. If your site does any of the following, you are processing personal data and UK GDPR applies:
In short, if your website does anything more than display static text with no forms, no analytics and no third-party services, UK GDPR is relevant. And even a completely static site may set cookies through the hosting platform. The safest assumption is that UK GDPR applies to you — because it almost certainly does.
Size does not matter. UK GDPR applies equally to a sole trader with a five-page site and a multinational. Expectations are proportionate — nobody expects a one-person business to have a dedicated Data Protection Officer — but the core obligations are the same.
Under UK GDPR you cannot collect or use personal data just because you feel like it. You need a lawful basis — a legal reason — for every type of data you process. There are six; for most small-business sites, only two or three are relevant in practice.
| Lawful basis | What it means | Website example |
|---|---|---|
| Consent | The person clearly agreed to the processing. | Ticking a box to sign up for your e-mail newsletter. |
| Contract | Processing is necessary to fulfil a contract or take steps before entering one. | Collecting a delivery address when someone places an order. |
| Legitimate interest | Processing is necessary for your legitimate business interests, balanced against the person's rights. | Using first-party analytics to understand which pages are popular. |
| Legal obligation | You are required by law to process the data. | Keeping financial records for HMRC. |
| Vital interests | Processing is necessary to protect someone's life. | Rarely relevant for SME websites. |
| Public task | Processing is necessary for a task in the public interest. | Relevant mainly for public authorities. |
For a typical UK SME website, consent is the right basis for e-mail marketing. Contract covers order processing and service delivery. Legitimate interest can cover basic website analytics and security monitoring, provided you have done a balancing test to make sure your interests do not override the visitor's privacy rights.
The key point: you should know which lawful basis applies to each type of data you collect, and state it in your privacy notice. Do not overthink it — be honest and clear about why you are collecting data.
Every business website needs a privacy notice (sometimes called privacy policy). Not optional. UK GDPR requires you to tell visitors, in clear plain language, how you handle their personal data.
Your privacy notice must include:
The privacy notice must be easy to find. Best practice: link to it from the footer of every page. Sitejet Builder makes this straightforward with a dedicated privacy-notice page template.
A common mistake is copying a privacy notice from another website. Do not. Every business collects different data for different reasons. Your notice must reflect what your site actually does. The ICO provides a free small-business generator at ico.org.uk; always review the output so it matches your actual practices.
Cookies are one of the most confusing areas of compliance because the rules come from two overlapping pieces of legislation:
In the UK, both apply at the same time. Here is the simplified version:
If your site uses Google Analytics, Facebook Pixel, advertising networks or any third-party tracker, you need a cookie consent banner that gives visitors a genuine choice. “By continuing to browse this site you agree to cookies” is not valid consent under PECR or UK GDPR. Consent must be freely given, specific, informed and unambiguous. The visitor must actively opt in — typically by clicking a button.
There is a practical way to avoid most of the cookie-banner pain: use analytics that do not set non-essential cookies. Matomo, for example, can be configured to use first-party cookies only, which the ICO has indicated can fall under the “strictly necessary” exception when used purely for audience measurement. No consent banner needed for basic stats — a cleaner visitor experience and one less compliance headache.
If your site has a contact form you are collecting personal data every time someone fills it in. Same for e-mail signup, quote forms, booking forms.
For a simple contact form where someone is sending an enquiry, the lawful basis is usually legitimate interest or contract (if they are requesting a service). You do not necessarily need a separate consent checkbox for the enquiry itself. But you should tell the visitor what will happen to their data — a short line beneath the form: “We will use your details to respond to your enquiry. See our privacy notice for more information.”
Stricter rules. If someone fills in a contact form asking about your plumbing services, that does not mean you can add them to your monthly newsletter. Marketing e-mails require separate explicit consent — a clear, unticked checkbox saying:
“Yes, I would like to receive updates and offers by e-mail” — unticked by default.
Pre-ticked boxes do not count as valid consent. The person must actively choose to opt in. Keep a record of when and how consent was given, in case you need to demonstrate compliance later.
For a standalone “Subscribe to our newsletter” widget in the sidebar or footer, consent is built into the action itself, provided it is clear what the person is signing up for. State what they will receive, how often, and link the privacy notice.
A safer pattern is double opt-in — after submission, send a confirmation e-mail with a link that must be clicked to activate the subscription. Provides documented proof of consent and keeps your list clean of typos and spam signups.
Understanding how people use your site matters for any business. Analytics tell you which pages are popular, where visitors come from, what content drives enquiries. But the way you track visitors matters enormously from a UK GDPR perspective.
Google Analytics is the world's most widely used analytics tool and presents real UK GDPR challenges. It sends visitor data to Google servers in the United States. It uses cookies to track users across sessions. It shares data with Google's advertising ecosystem. Several European data-protection authorities — France (CNIL), Austria, Italy, Denmark — have ruled that standard use of Google Analytics violates GDPR. The ICO has not gone quite that far, but the direction of travel is clear: relying on Google Analytics without very careful configuration (IP anonymisation, no ad features, signed Data Processing Agreement, careful cookie consent) is a risk.
The GDPR-friendly alternative is analytics that keep data within Europe and minimise personal data collection. Matomo is the leading option. Configured correctly — first-party cookies only, no data sharing with third parties, data stored on European servers — Matomo can operate without requiring a cookie consent banner for basic audience measurement.
Alternatives: Plausible Analytics (UK-based, cookie-free by design), Fathom Analytics, Umami (self-hosted). All share the privacy-first philosophy.
Sitejet Builder includes Matomo analytics as a built-in feature. Visitor data stays in EU data centres (Hetzner, Germany). No sharing with advertising networks. Basic stats without a cookie banner. That removes one of the most awkward areas of UK GDPR compliance entirely.
If you use any other third-party tracking — Facebook Pixel, LinkedIn Insight Tag, Google Ads conversion tracking, TikTok Pixel — each must be disclosed in your privacy notice and covered by cookie consent. The fewer third-party trackers, the simpler your compliance.
Most SME owners are not trying to break the rules. Mistakes happen because the rules are confusing and online advice is often contradictory.
Surprising number of UK SME websites still have no privacy notice. Single biggest compliance gap. If your site collects any personal data — even a basic contact form — you need one.
Almost as bad. If your notice says you do not use cookies but your site loads Google Analytics, you have a problem. Your notice must be accurate and specific to your business.
Many sites either have no banner (despite setting non-essential cookies) or use a banner that only says “OK” with no reject option. Does not meet the ICO standard. A compliant banner must offer genuine choice — accept or reject — and non-essential cookies must not load until the visitor opts in.
If your contact form has a “Send me marketing e-mails” checkbox, it must start unticked. Pre-ticked is not valid consent. One of the easiest mistakes to avoid.
UK GDPR requires data to be kept only as long as you need it. If someone sent a contact-form enquiry three years ago and you never replied, there is no reason to still hold their details. Set retention periods and stick to them.
Every third-party tool — live chat, social feed, YouTube embed, Google Fonts — can transfer visitor data. Each should be disclosed in your privacy notice, and non-essential ones covered by cookie consent. The more third parties, the harder compliance becomes. A simpler website is genuinely easier to comply with.
Any processor handling personal data on your behalf (e-mail marketing platform, hosting provider, CRM) must sign a Data Processing Agreement (DPA). Reputable providers publish a standard DPA you accept during signup — check that it exists.
Under UK GDPR, individuals have the right to access their data, correct it, delete it, and object to processing. If someone e-mails asking “what do you hold on me?”, you have one month to respond free of charge. Make sure someone in your business knows what to do with that request.
Most UK businesses and sole traders that process personal data must pay the ICO data protection fee, starting at £40/year for micro-organisations, £60/year for small/medium, and £2,900/year for large. Check whether you need to register using the self-assessment at ico.org.uk/for-organisations/data-protection-fee. Takes five minutes and is well worth doing. Not paying the fee when you should is itself a breach.
This is the part that worries people most. The ICO has power to issue fines of up to £17.5 million or 4% of global annual turnover, whichever is higher. Those are the maximum penalties for the most serious violations by large organisations. In practice, the ICO takes a proportionate approach with small businesses and typically works through several steps before fining:
For a small business making genuine effort to comply, a large fine is extremely unlikely. The ICO has stated repeatedly that it wants to help small businesses get compliance right, not punish honest mistakes. The far bigger risk for most UK SMEs is losing customer trust, not fines.
Under Article 33 of UK GDPR, you have 72 hours from becoming aware of a notifiable personal data breach to report it to the ICO, where the breach is likely to result in a risk to affected individuals. The ICO has an online breach-reporting tool at ico.org.uk/for-organisations/report-a-breach.
Notifiable breaches include: unauthorised disclosure or access (hackers), unauthorised alteration, or loss of access (ransomware without backups). If the breach is likely to result in high risk to individuals (payment card details or mass credential exposure), Article 34 additionally requires you to notify affected individuals without undue delay.
Full incident response playbook in our website security, SSL and backups guide.
One of the biggest factors in UK GDPR compliance is the tools you choose. A platform that respects privacy by design makes your job significantly easier.
https://).Q: Does UK GDPR apply to my small business website?
A: Almost certainly yes. If your site has a contact form, e-mail signup, analytics or any feature that collects personal data, UK GDPR applies. It does not matter how small your business is.
Q: Do I need a cookie consent banner?
A: Depends on what cookies your site sets. Under PECR you need consent for non-essential cookies — advertising, third-party analytics, social media widgets. Strictly necessary cookies do not need consent. If you use GDPR-compliant analytics like Matomo configured for first-party only, you can often avoid a banner for basic stats.
Q: What must a privacy notice include?
A: Who you are, what data you collect, why, lawful basis, retention, third-party sharing, visitor rights (access, correction, deletion, objection), and ICO contact for complaints. Plain English — not legal jargon.
Q: Can I be fined for not complying?
A: Yes, up to £17.5 million or 4% of turnover. In practice fines against small businesses are rare. The ICO takes a proportionate approach. The real risk is losing customer trust rather than a fine.
Q: Is Google Analytics UK GDPR-compliant?
A: Raises serious concerns. It sends data to US servers and shares with Google's ad ecosystem. Several European authorities have ruled against standard use. Matomo (in Sitejet Builder) is a safer alternative that can run cookie-free.
Q: Do I need to register with the ICO?
A: Most businesses and sole traders that process personal data must pay the ICO data-protection fee (£40/year for micro-organisations). Check the ICO self-assessment. Not paying when you should is itself a breach.
Q: How do I handle a data subject access request?
A: Acknowledge within a reasonable time, verify the requester's identity, gather all personal data you hold on them, and respond within one month (free of charge). For complex or multiple requests you can extend by two months but must tell the requester within the first month.
Q: Do I need a Data Protection Officer?
A: Only if you are a public authority, conduct large-scale systematic monitoring of individuals, or process large-scale special-category data. Almost no UK SME needs one. You should still have someone responsible for data-protection decisions, even without a formal DPO role.
Q: What about international data transfers after Brexit?
A: The UK has its own adequacy framework with the EU (covered by the EU-UK Trade and Cooperation Agreement). Transfers to the US require the UK International Data Transfer Addendum or Standard Contractual Clauses. EU-located hosting (Hetzner Germany) avoids these complications entirely.
Q: Does UK GDPR require me to allow users to delete their account?
A: Users have the right to erasure in certain circumstances (e.g. data no longer necessary, consent withdrawn, unlawful processing). You do not have to build a self-service delete button on day one, but you must be able to fulfil an erasure request within one month when received.