If you run a small business in the UK and have a website, GDPR applies to you. It doesn't matter whether you're a sole trader, a limited company, or a charity — if your website collects personal data from visitors, you must comply with UK GDPR as enforced by the Information Commissioner's Office (ICO).
The good news is that for most small businesses, compliance comes down to a relatively straightforward checklist. Here's what you need to have in place.
1. A Privacy Policy
Your privacy policy is the foundation of GDPR compliance. It must explain:
- What personal data you collect (names, email addresses, IP addresses, etc.)
- Why you collect it and what you use it for
- The lawful basis for each type of processing
- Who you share data with (including third-party tools like Google Analytics)
- How long you keep data
- Users' rights and how to exercise them
- How to contact you with data-related queries
A generic privacy policy template is not enough. Your policy must accurately reflect what your site actually does.
2. Cookie Consent
If your website uses non-essential cookies — such as analytics cookies, advertising cookies, or social media pixels — you must obtain prior consent from visitors before placing them.
This means:
- A cookie consent banner that appears before non-essential cookies are loaded
- A genuine choice — users must be able to say no
- Pre-ticked boxes are not permitted
- Users must be able to withdraw consent as easily as they gave it
Simply having a cookie notice that says "by using this site you accept cookies" does not constitute valid consent under GDPR.
3. A Cookie Policy
Separate from your privacy policy, a cookie policy explains specifically what cookies your site uses, what they do, and how visitors can control them. Many businesses combine this with their privacy policy, which is acceptable as long as the cookie information is clearly presented.
4. Secure Data Handling
GDPR requires you to implement "appropriate technical and organisational measures" to protect personal data. For a small business website, this typically means:
- HTTPS encryption on your website
- Secure passwords and access controls
- Regular software and plugin updates
- A process for responding to data breaches
5. Data Retention Policy
You must not keep personal data for longer than necessary. Your privacy policy should specify how long you retain different types of data — for example, enquiry form submissions, customer records, and email marketing lists.
6. Data Subject Rights
Under GDPR, individuals have the right to access their data, correct it, delete it, and more. You must have a process for handling these requests and must respond within 30 days. Your privacy policy should explain how users can exercise these rights.
7. Third-Party Tools and Processors
Every third-party tool on your website that processes personal data — Google Analytics, Facebook Pixel, live chat tools, email marketing platforms — must be disclosed in your privacy policy. You should also have Data Processing Agreements in place with these providers.
8. Contact Form Compliance
If you have a contact form, you must explain in your privacy policy how you handle form submissions, how long you keep them, and what you do with the information provided.
How to Check Your Compliance
Going through this checklist manually is time-consuming and easy to get wrong. ClearlyCompliant's automated GDPR report scans your website across 23 compliance checks and delivers a detailed PDF report with specific recommendations — for just £29.99.
Is Your Website GDPR Compliant?
Find out in minutes with our automated compliance report. 23 checks, AI-powered policy analysis, detailed PDF report — £29.99.
Get Your Report — £29.99