Guide

What Does GDPR Mean for Your Website? A Plain English Guide for UK Businesses

GDPR — the General Data Protection Regulation — came into effect in 2018 and fundamentally changed how businesses must handle personal data. Following Brexit, the UK operates under UK GDPR, which mirrors the original EU regulation with minor adaptations and is enforced by the Information Commissioner’s Office (ICO).

For most small business owners, the implications of UK GDPR for your website are more manageable than the headlines suggest. Here’s a plain English breakdown of what it means in practice.

What Counts as Personal Data on a Website?

Personal data is any information that can identify an individual — directly or indirectly. On a typical small business website, this includes: names and email addresses collected through contact forms, IP addresses recorded in server logs and analytics tools, names and contact details captured through newsletter sign-ups, and any information submitted through booking forms, quote requests, or account registrations.

Cookies and tracking pixels that link browsing behaviour to an individual also constitute personal data processing under UK GDPR. This is why cookie consent is legally required — placing a tracking cookie on someone’s device without their permission is a form of unauthorised personal data collection.

You don’t need to collect a lot of information for GDPR to apply. A simple “Contact Us” form that captures a name and email address is enough to create obligations under the regulation.

Your Key GDPR Obligations as a Website Operator

Lawful basis: you must have a valid legal reason for collecting and processing personal data. For most small business website enquiries, the lawful basis is “legitimate interests” (you have a legitimate business reason to process an enquiry) or “contract” (the person wants you to quote for a job, which requires processing their details). For marketing emails, the lawful basis is usually “consent,” which must be freely given, specific, and informed.

Transparency: you must tell people what data you collect, why you collect it, how long you keep it, and their rights under UK GDPR. This information goes in your privacy policy. Your contact forms should reference your privacy policy (typically a brief statement and a link).

Data minimisation: only collect the information you actually need. A contact form that asks for a name and email is appropriate; one that also asks for date of birth, employer, and annual income is not — unless you have a clear reason for needing those details. Less data collected means less risk and simpler compliance.

Practical Steps for Your Website

Audit your data flows: list every place on your website where personal data is collected, what happens to it, and where it ends up. Contact forms, newsletter sign-ups, live chat, booking systems, and analytics tools are the most common sources. For each one, confirm you have a lawful basis, that your privacy policy covers it, and that data is stored securely.

Review your contact forms and email sign-ups. Consent for marketing emails must be active (a ticked checkbox the user has chosen to tick, not pre-ticked) and must be separate from consent to be contacted about a specific enquiry. Keep records of when and how consent was given.

Appoint a point of contact for data subject requests. Under UK GDPR, individuals have the right to access the data you hold about them, request correction, or ask you to delete it. You must respond within one calendar month. Even for a small business, having a clear internal process for handling these requests protects you if one arrives.

FAQs

Common questions.

Does UK GDPR apply to my small business website?
Yes. UK GDPR applies to any organisation — regardless of size — that processes personal data of UK residents. The only exemption for small businesses relates to formal record-keeping obligations: businesses with fewer than 250 employees are exempt from maintaining a full Article 30 record of processing activities, unless their processing is high-risk. However, all other GDPR obligations — lawful basis, transparency, data subject rights — still apply.
Do I need to register with the ICO?
Most organisations that process personal data must pay the ICO’s data protection fee, which starts at £40 per year for small organisations (turnover under £632,000 and fewer than ten staff). There are exemptions for some types of processing. Check the ICO’s self-assessment tool to confirm whether your organisation needs to register.
What happens if I have a data breach on my website?
If a personal data breach is likely to result in a risk to individuals’ rights and freedoms, you must notify the ICO within 72 hours of becoming aware of it. If the breach is likely to result in a high risk to individuals, you must also notify the affected individuals without undue delay. Document all breaches, even those you decide don’t require notification, as the ICO may ask about your breach response procedures.
Related guides

More on web design & ux.

Want a hand putting this into practice?

Book a free, no-obligation consultation with a Norwich-based specialist.

Book a free consultation
Get started

Let's put your business in a better light.

Book a free, no-pressure consultation. We'll talk through your goals and tell you honestly what we'd do — whether you work with us or not.

  1. 01
    Tell us a bitFill in the form — two minutes, tops.
  2. 02
    We'll call you backWithin one working day, no pressure.
  3. 03
    Get a clear planHonest advice and a fixed quote.

Free · No obligation · We reply within one working day

Book a free consultation