Since GDPR came into force in 2018, it's been used as a reason to add alarming cookie banners, bloated privacy policies, and general anxiety to otherwise straightforward small business websites. Most of it is overkill. Here's what you actually need — and what you can stop worrying about.
Note: this article is for general guidance only and does not constitute legal advice. For anything specific to your situation, consult a solicitor or the ICO directly.
Do You Even Need to Register with the ICO?
Most businesses that handle personal data need to pay the Information Commissioner's Office (ICO) data protection fee — currently £40/year for most small organisations. If you collect any data at all (contact form submissions, email addresses, even just keeping a customer spreadsheet), the fee almost certainly applies to you. The fine for non-payment is far larger than the fee itself, so it's worth checking at ico.org.uk/registration.
What Your Website Needs for GDPR
A privacy policy
If your website collects any personal data — a contact form, an email sign-up, even just Google Analytics tracking visitors — you need a privacy policy. It should explain: what data you collect, why you collect it, how long you keep it, whether you share it with anyone (such as a form provider or email marketing platform), and how people can request their data be deleted.
You don't need a lawyer to write a basic privacy policy. There are free generators online (including from the ICO) that will produce something adequate for a small business website. The key is having one — and keeping it up to date if anything changes.
Cookie consent (but probably not the scary kind)
Cookies that are "strictly necessary" for the website to function (such as session cookies that remember form data) do not require consent. Cookies that track behaviour — like Google Analytics — do require consent under UK law.
For most small business websites, a simple notice saying "this site uses Google Analytics — by continuing to use this site you accept that" is a reasonable approach. A full cookie consent management platform with hundreds of toggles is unnecessary for a basic website.
Contact form compliance
If you have a contact form, add a short statement near the submit button — something like: "By submitting this form you agree to us using your details to respond to your enquiry. We won't use them for marketing without your permission." This does not need to be lengthy — just clear.
What GDPR Means for Your Customer Data
If you store customer information — even in a spreadsheet or your phone contacts — GDPR applies to that too. The key principles are:
- Only collect what you need — don't ask for a date of birth if you don't need it
- Don't keep data longer than necessary — old enquiry emails from five years ago probably don't need to exist
- Keep it secure — a spreadsheet on an unprotected laptop is a risk
- Respond to data requests — if a customer asks what data you hold on them, you're obliged to tell them within 30 days
The three things most small business websites actually need: (1) A privacy policy page — linked in the footer. (2) A basic cookie notice — especially if you use Google Analytics. (3) A short consent line on your contact form. That's it for the vast majority of local service businesses. Don't let anyone sell you a £500 GDPR compliance package for a simple website.
Email Marketing and GDPR
If you send marketing emails, people need to have specifically opted in to receive them. "They're a customer" is not sufficient — unless they gave you their email specifically to receive marketing, you need explicit consent.
In practice, for most small businesses: if someone filled in a contact form asking about your service, you can reply and discuss the job. What you can't do is add them to a newsletter list they didn't ask for. Always include an unsubscribe option in any marketing emails, and keep a record of when and how consent was given.
What Happens if You Get a Data Request or Complaint?
If someone asks you to delete their data or tell them what information you hold, you have 30 days to respond. For a small business this usually means deleting their email address and any notes you have about them. The ICO's guidance on handling these requests is straightforward and free to read.
The ICO rarely goes after small businesses for minor technical non-compliance. What tends to trigger enforcement is serious breaches — data hacks, selling data without consent, or ignoring genuine complaints. For a local service business handling a handful of customer enquiries a week, the risk is low if you've taken basic steps.
ICO registration check: Go to ico.org.uk/registration and use the self-assessment tool to confirm whether you need to register and pay the annual fee. Most businesses that handle any personal data need to. It takes five minutes and costs £40. It's one of those things that's easy to miss — but the fine for non-compliance is up to £4,000.
From £20/month, £0 setup fee, live in 48 hours. We build fast, SEO-ready websites for UK small businesses — no contract, cancel anytime.