GDPR for Small Business Websites in 2026: What You Actually Need to Do

GDPR sounds like it was designed to frighten small business owners. And honestly, there’s a whole industry of “compliance consultants” making good money from exactly that fear — sending cold emails about how your website is “potentially non-compliant” and offering to fix it for a couple of grand.

If you’ve got a five-page website with a contact form and a mailing list signup, you do not need a two-thousand-pound audit. You probably need about four changes, and none of them cost anything.

The regulation is real. You do need to take it seriously. But the actual requirements for a normal small business website are straightforward — genuinely straightforward, not “straightforward if you hire us” straightforward.

What GDPR actually means for your website

GDPR (General Data Protection Regulation) is about protecting people’s personal data. If your website collects any information about visitors — names, email addresses, phone numbers, even IP addresses — you have obligations around how you handle that data.

But here’s the key thing most people miss: GDPR is proportionate. The ICO (Information Commissioner’s Office, the UK’s data regulator) doesn’t expect a three-person landscaping firm to have the same data infrastructure as Amazon. They expect you to take reasonable steps appropriate to the size of your business and the data you’re handling.

For most small business websites, that means getting a few specific things right. Not hiring a compliance officer. Not rewriting your entire site. Just being sensible and transparent about what you’re doing with people’s information.

Cookie banners: do you actually need one?

This is where I see the most unnecessary panic — and the most unnecessary spending.

You do NOT need a cookie banner if your website only uses strictly necessary cookies. These are the ones your site needs to function — session cookies, security cookies, things like that. A basic brochure site built on modern frameworks often doesn’t set any tracking cookies by default.

You DO need a cookie banner if you’re using:

• Google Analytics (or any analytics that sets cookies)
• Facebook Pixel or any advertising tracking
• Embedded YouTube videos (they set cookies)
• Third-party chat widgets
• Social media sharing buttons that track users

The banner needs to do more than just say “we use cookies, OK?” — it needs to let visitors actually choose which cookies they accept. That means giving people a genuine option to decline non-essential cookies, and your site needs to respect that choice. No pre-ticked boxes. No dark patterns where “Accept All” is a big green button and “Reject” is hidden in grey text.

The practical approach: If you’re running a simple business website and the only reason you’d need a cookie banner is Google Analytics, consider whether you actually need Google Analytics. For most small business sites, simpler alternatives like Plausible or Fathom give you the visitor data you need without setting cookies at all — which means no cookie banner required. I’ve switched several clients to cookieless analytics and none of them have missed anything useful.

If you do need a cookie banner, don’t pay for an expensive solution. Tools like Cookiebot have free tiers for small sites, and open-source options like Osano work perfectly well.

Your privacy policy: what it actually needs to say

Every website that collects personal data needs a privacy policy. That’s non-negotiable. But it doesn’t need to be a 4,000-word legal document that nobody reads.

Your privacy policy should clearly explain:

• Who you are — your business name and contact details
• What data you collect — be specific (names, email addresses, phone numbers, IP addresses)
• Why you collect it — to respond to enquiries, send newsletters, process orders
• How long you keep it — you can’t keep data forever; set a reasonable retention period
• Who you share it with — email marketing platforms, payment processors, hosting providers
• People’s rights — the right to access, correct, or delete their data
• How to contact you about data concerns

That’s the list. Write it in plain English, not legalese. The ICO actually prefers clear, readable privacy policies over dense legal ones.

You can use the ICO’s privacy notice template as a starting point — it’s free and specifically designed for small businesses. Don’t pay a solicitor £500 for something you can adapt yourself in an afternoon.

Important: Link your privacy policy from your website footer on every page, and specifically from any forms where you collect data.

Contact forms and data handling

If you’ve got a contact form on your website — and you probably should — here’s what GDPR requires:

Before the form is submitted:

• Tell people what you’ll do with their information (a short line under the form is fine: “I’ll use your details to respond to your enquiry. See my privacy policy for full details.”)
• Don’t collect more information than you need. If you just need a name and email to respond, don’t ask for their address, date of birth, and mother’s maiden name.

After the form is submitted:

• Store the data securely. If form submissions go to your email, that’s generally fine — just make sure your email account is properly secured with a strong password and two-factor authentication.
• Don’t keep enquiry data forever. Set yourself a reminder to clear out old form submissions periodically. A year is a reasonable retention period for general enquiries.
• If someone asks you to delete their data, do it promptly.

Newsletter signups need explicit consent. That means a clear statement about what people are signing up for, and no pre-ticked boxes. “Sign up for our monthly newsletter about [topic]” with a checkbox they actively tick is fine. Adding everyone who fills in your contact form to your mailing list without asking is not fine.

For more on keeping your forms and data secure, I’ve written a separate guide on website security for small businesses that covers the technical side.

Google Analytics: the compliance headache

Google Analytics deserves its own section because it’s where a lot of small businesses accidentally fall foul of GDPR.

The issue: Google Analytics 4 still collects IP addresses and sets cookies that track users across sessions. Under GDPR, that counts as personal data processing, which means you need:

1. A cookie consent banner that lets visitors opt out
2. Analytics only loading after consent is given
3. A section in your privacy policy explaining what data GA collects and that it’s shared with Google
4. A data processing agreement with Google (there’s one built into the GA settings)

The honest truth: For most small business websites getting 50-500 visitors a month, Google Analytics is overkill anyway. You don’t need to know the demographic breakdown of your visitors or their multi-channel attribution paths. You need to know how many people visited, which pages they looked at, and where they came from.

Privacy-friendly analytics tools like Plausible (from around €9/month) or Fathom give you exactly that without cookies, without personal data collection, and without needing a consent banner. It’s a cleaner setup all round, and I’ve been recommending it to all my clients for the past couple of years.

If you’re set on using Google Analytics, make sure your cookie banner actually blocks the GA script until consent is given. I’ve seen dozens of sites where the banner is there but GA loads regardless — that’s worse than having no banner at all, because it looks like you’re trying to comply while actually not complying.

What about the ICO? Real consequences for small businesses

Let’s be realistic about enforcement. The ICO isn’t trawling the internet looking for small business websites with imperfect privacy policies. Their focus is on large-scale data breaches, systematic violations, and companies that handle sensitive data irresponsibly.

That said, they can and do act on complaints. If a customer complains to the ICO that you’ve been sending them marketing emails they didn’t sign up for, or that you refused a data deletion request, the ICO will investigate. Fines for small businesses are typically proportionate — we’re talking hundreds or low thousands of pounds, not millions. But the reputational damage and hassle of an ICO investigation is worth avoiding.

The more practical risk for most small businesses is losing customer trust. People are increasingly aware of their data rights. A professional, transparent approach to data handling says something about your business. A dodgy-looking cookie banner or a missing privacy policy says something too.

One thing to note: If you process personal data (and running a website with a contact form means you do), you should be registered with the ICO. It costs £40 per year for most small businesses. You can check and register on the ICO website. It’s not optional, and it’s one of those things that’s easy to overlook.

The 15-minute GDPR check for your website

Here’s a practical checklist you can run through right now. Grab a cup of tea and work through it — most small business sites can tick these off in a single sitting.

• Privacy policy exists and is linked from every page — Check your footer. If there’s no privacy policy link, that’s job one.
• Privacy policy is up to date — Does it mention all the tools and services you currently use? If you switched email platforms last year, your policy should reflect that.
• Contact forms have a privacy notice — Even a single line linking to your full privacy policy counts.
• Newsletter signup has explicit consent — An active checkbox, not a pre-ticked one. Clear statement about what they’re signing up for.
• Cookie banner works properly (if needed) — Test it yourself. Decline cookies, then check whether tracking scripts still load. Your browser’s developer tools (Network tab) will show you.
• You’re not collecting unnecessary data — Review your forms. Do you really need every field that’s there?
• Old enquiry data is being cleared out — Check your inbox or CRM. Are you holding onto contact form submissions from three years ago? Delete what you don’t need.
• Your email account is secure — Strong password and two-factor authentication on any account that receives customer data.
• ICO registration is current — Check at ico.org.uk that your registration is active and up to date.
• Third-party tools are listed — Any service that processes your visitors’ data (email platforms, analytics, payment processors) should be mentioned in your privacy policy.

If you’ve ticked all ten, you’re in a solid position. Not bulletproof — no website is — but sensible, proportionate, and demonstrably trying to do the right thing. That’s what the ICO expects from a small business.

Stop overthinking it

GDPR compliance for a small business website isn’t a legal minefield. It’s a handful of practical steps that boil down to one principle: be honest and transparent about what data you collect and what you do with it.

You don’t need to hire a consultant. You don’t need expensive compliance software. You need a clear privacy policy, sensible data handling, and the common sense to not add people to mailing lists without asking.

When I build sites for clients, I handle all of this as standard — privacy policy template, properly configured analytics, forms that collect only what’s needed, cookie consent set up correctly if it’s required. It’s just part of building a website properly. If your developer isn’t doing this, it’s worth asking why.

And if you’ve got a site that’s been running for a while and you’re not sure where you stand, that fifteen-minute checklist above is a genuine starting point. Work through it, fix what needs fixing, and move on. Your time is better spent running your business than worrying about regulations that, for most small websites, require less effort than people think.

Not sure whether your website is GDPR compliant? Get in touch and I’ll take a quick look — no charge, no jargon. I’ll tell you exactly what needs sorting and what’s already fine.