What Does GDPR Mean for Your Website? A Plain English Guide for UK Businesses
GDPR — the General Data Protection Regulation — came into effect in 2018 and fundamentally changed how businesses must handle personal data. Following Brexit, the UK operates under UK GDPR, which mirrors the original EU regulation with minor adaptations and is enforced by the Information Commissioner’s Office (ICO).
For most small business owners, the implications of UK GDPR for your website are more manageable than the headlines suggest. Here’s a plain English breakdown of what it means in practice.
What Counts as Personal Data on a Website?
Personal data is any information that can identify an individual — directly or indirectly. On a typical small business website, this includes: names and email addresses collected through contact forms, IP addresses recorded in server logs and analytics tools, names and contact details captured through newsletter sign-ups, and any information submitted through booking forms, quote requests, or account registrations.
Cookies and tracking pixels that link browsing behaviour to an individual also constitute personal data processing under UK GDPR. This is why cookie consent is legally required — placing a tracking cookie on someone’s device without their permission is a form of unauthorised personal data collection.
You don’t need to collect a lot of information for GDPR to apply. A simple “Contact Us” form that captures a name and email address is enough to create obligations under the regulation.
Your Key GDPR Obligations as a Website Operator
Lawful basis: you must have a valid legal reason for collecting and processing personal data. For most small business website enquiries, the lawful basis is “legitimate interests” (you have a legitimate business reason to process an enquiry) or “contract” (the person wants you to quote for a job, which requires processing their details). For marketing emails, the lawful basis is usually “consent,” which must be freely given, specific, and informed.
Transparency: you must tell people what data you collect, why you collect it, how long you keep it, and their rights under UK GDPR. This information goes in your privacy policy. Your contact forms should reference your privacy policy (typically a brief statement and a link).
Data minimisation: only collect the information you actually need. A contact form that asks for a name and email is appropriate; one that also asks for date of birth, employer, and annual income is not — unless you have a clear reason for needing those details. Less data collected means less risk and simpler compliance.
Practical Steps for Your Website
Audit your data flows: list every place on your website where personal data is collected, what happens to it, and where it ends up. Contact forms, newsletter sign-ups, live chat, booking systems, and analytics tools are the most common sources. For each one, confirm you have a lawful basis, that your privacy policy covers it, and that data is stored securely.
Review your contact forms and email sign-ups. Consent for marketing emails must be active (a ticked checkbox the user has chosen to tick, not pre-ticked) and must be separate from consent to be contacted about a specific enquiry. Keep records of when and how consent was given.
Appoint a point of contact for data subject requests. Under UK GDPR, individuals have the right to access the data you hold about them, request correction, or ask you to delete it. You must respond within one calendar month. Even for a small business, having a clear internal process for handling these requests protects you if one arrives.
Common questions.
Does UK GDPR apply to my small business website?
Do I need to register with the ICO?
What happens if I have a data breach on my website?
More on web design & ux.
Want a hand putting this into practice?
Book a free, no-obligation consultation with a Norwich-based specialist.
Let's put your business in a better light.
Book a free, no-pressure consultation. We'll talk through your goals and tell you honestly what we'd do — whether you work with us or not.