GDPR Compliance for UK Business Websites (2026 Guide)

The state of GDPR in the UK in 2026

When the UK left the EU, "EU GDPR" stopped applying directly. But it was immediately replaced with UK GDPR — almost identical, slightly tweaked, enforced by the Information Commissioner's Office (ICO).

For UK businesses, the practical reality is: you still need to comply, the rules are basically the same, and the ICO has actively been issuing fines.

This guide covers the practical website-side requirements. It's not legal advice (we're not lawyers), but it's the playbook we follow on every site we build, and it'll get most UK small businesses 95% of the way to compliance.

If you're planning a new site or redesign, GDPR is one of the 47 items covered in our UK small business website launch checklist — run through that alongside this guide.

What counts as "personal data"?

Anything that can identify a living person, directly or indirectly. The obvious stuff:

• Names
• Email addresses
• Phone numbers
• Postal addresses

The less obvious stuff that catches people out:

• IP addresses
• Cookies (most of them)
• Browser fingerprints
• Photographs of people
• Order history

If your website collects any of this — and almost every website does — UK GDPR applies.

The 7 things every UK business website needs

1. A Privacy Policy

The single most important page for compliance. It must explain:

• Who you are (your business name and contact details)
• What personal data you collect (and how)
• Why you collect it (your "lawful basis" — legitimate interest, contract, consent, etc.)
• How long you keep it
• Who you share it with (Google Analytics, Mailchimp, Stripe, etc.)
• What rights users have (access, deletion, correction, portability)
• How users can complain to the ICO
• Whether their data is transferred outside the UK (e.g. to US-based services)

Templates exist (ICO publishes one), but a generic copy-paste won't cover your specific situation. The ICO actively penalises businesses with vague or copy-pasted policies.

2. A Cookie Policy

Separate from your Privacy Policy (or a clearly distinct section within it). Must list:

• Every cookie your site uses
• What each cookie does
• How long it lasts
• How to opt out

Use a free cookie scanner tool (Cookiebot, CookieYes, Termly) to discover what cookies you actually have. Most websites have far more than the owner realises.

3. A Cookie Consent Banner (PECR + UK GDPR)

This is where most UK websites fail. The rules:

• Banner must appear on first visit before non-essential cookies load
• Users must be able to reject all non-essential cookies as easily as accept
• Pre-ticked boxes are not valid consent (no "by using this site you accept...")
• Cookies must NOT load until consent is given (this is the bit most banners get wrong)
• Users must be able to change their mind later (a "Cookie Preferences" link in the footer)

A "Reject All" button must exist with equal prominence as "Accept All." Banners that hide "Reject" behind a "Customise" button are non-compliant — and the ICO has made this clear.

Compliant solutions: Cookiebot (£8-£60/month depending on traffic), CookieYes (£8/month), Termly (free tier available), or custom-built consent management.

4. Forms with Clear Consent

Every form on your site that collects personal data needs:

• Clear statement of what you'll do with the data ("We'll use this to respond to your enquiry, no marketing")
• Separate, unticked checkbox if you want to add them to a marketing list (you cannot pre-tick this, ever)
• Link to your Privacy Policy
• Specific consent for each purpose (one tick for "respond to my enquiry" vs another tick for "send me marketing")

The contact form on your site should NOT silently add submitters to your mailing list. That's an instant compliance failure.

5. Newsletter Sign-Up With Double Opt-In

Adding someone to your mailing list requires explicit, recorded consent. Best practice:

1. User submits email through a sign-up form
2. They receive a confirmation email asking them to click a link to confirm
3. Only after confirmation are they added to the active list

This "double opt-in" process gives you a defensible record of consent.

Mailchimp, Brevo, ConvertKit, and most reputable email platforms have double opt-in built in. Turn it on.

6. SSL / HTTPS

Required by UK GDPR (Article 32 — "appropriate technical measures"). Any site collecting personal data over plain HTTP is non-compliant.

Free SSL via Let's Encrypt is universally available. There's no excuse not to have HTTPS in 2026 — missing HTTPS is in fact one of the 12 signs your business needs a website redesign precisely because it signals the site isn't being maintained.

7. Data Subject Rights — Easy to Exercise

UK GDPR gives users rights including:

• Right to access — they can request a copy of all data you hold on them
• Right to deletion ("right to be forgotten")
• Right to correction
• Right to data portability
• Right to object to processing

Your Privacy Policy must explain how to exercise these rights, and you must respond within one month.

For most small businesses, this means:

• A clear email address (e.g. privacy@yourbusiness.co.uk)
• An internal process for handling these requests
• Knowing what data you actually hold so you can produce/delete it

The biggest GDPR mistakes UK businesses make

After auditing dozens of UK business websites, these are the top recurring failures:

Mistake 1: Cookies loading before consent

Your Google Analytics script loads on page view. Your Facebook Pixel loads on page view. Your hotjar tracking loads on page view. Then the cookie banner appears asking for consent... but it's too late. Cookies are already set.

This is also a speed problem — every extra third-party script before consent contributes to slow page loads. Our Core Web Vitals guide covers how third-party scripts affect your Google rankings.

Fix: Use a Consent Management Platform (CMP) like Cookiebot or CookieYes that ACTUALLY blocks scripts until consent is given. Most basic banner plugins just display the banner without blocking anything.

Mistake 2: Pre-ticked marketing checkbox

"Tick here to receive updates" pre-ticked = not consent.

Fix: Default to unticked. Always.

Mistake 3: Marketing emails without unsubscribe

Every marketing email must include an easy unsubscribe link. PECR requires this for UK businesses.

Fix: Use a proper email marketing platform (Mailchimp, Brevo, etc.) that handles unsubscribes automatically.

Mistake 4: Vague Privacy Policy

A 200-word "we may use your data to improve our services" policy is not compliant. The ICO has specifically flagged this pattern.

Fix: Use ICO's template as a starting point and customise it specifically for your business and the actual platforms you use.

Mistake 5: No clear data retention period

"We keep your data as long as necessary" is not a retention period. UK GDPR requires specific timeframes.

Fix: Document specific retention periods for each type of data you collect (e.g. "Contact form submissions deleted after 12 months unless converted to a customer").

Mistake 6: Storing card details

If your website stores credit card details (rather than passing them to a payment processor like Stripe), you have massive PCI DSS obligations on top of GDPR.

Fix: Use Stripe, PayPal, or Worldpay. Never store card details yourself.

Mistake 7: International data transfers without safeguards

Using Google Analytics? You're transferring data to the US. Using Mailchimp? US. Using Hotjar? Ireland but parent company in US.

UK GDPR requires "appropriate safeguards" for international transfers. The current legal framework (the UK-US Data Bridge) covers most major US providers, but you must explicitly disclose these transfers in your Privacy Policy.

Fix: List every third-party service in your Privacy Policy and where data goes.

Real consequences of non-compliance

The ICO has been actively enforcing UK GDPR. Recent UK fines include:

• British Airways: £20m fine for data breach
• Marriott International: £18.4m fine for data breach
• Cabinet Office: £500,000 for inadvertent data disclosure
• TikTok: £12.7m for misuse of children's data

Yes, those are large companies — but the ICO also pursues smaller businesses, particularly for:

• Sending marketing emails without consent (PECR)
• Cookie banner non-compliance (PECR)
• Failing to respond to data subject access requests
• Inadequate Privacy Policies

Smaller fines for SMEs are typically £1,000-£10,000, but the reputational damage and ongoing compliance work cost far more.

Quick GDPR audit for your website

Run through this 10-point check on your current website:

1. ☐ Do you have a Privacy Policy that lists EVERY third-party service you use?
2. ☐ Do you have a Cookie Policy listing every cookie?
3. ☐ Do you have a cookie consent banner with equal-weight Accept/Reject options?
4. ☐ Does your banner ACTUALLY block cookies until consent is given?
5. ☐ Do all forms have a Privacy Policy link nearby?
6. ☐ Are marketing checkboxes unticked by default?
7. ☐ Is your newsletter sign-up double opt-in?
8. ☐ Is your site on HTTPS?
9. ☐ Do you have a clear privacy contact email and process?
10. ☐ Do you have a documented data retention policy?

Score 9-10: Probably compliant Score 6-8: Significant gaps to fix Score 5 or below: Active non-compliance — fix urgently

Realistic timeline to get compliant

For most UK small business websites, getting fully compliant takes:

• Privacy Policy update: 2-3 hours (or buy a customised template for £100-£300)
• Cookie consent solution: 1-2 hours setup + £8-£20/month ongoing
• Form audit and updates: 2-3 hours
• Email marketing audit: 1-2 hours
• Documentation of data flows: 3-4 hours

Total: roughly one working day, plus ongoing maintenance.

When you need professional help

DIY compliance works for most small businesses. You should get professional legal/compliance help if:

• You handle sensitive data (health, biometrics, criminal records)
• You market to or collect data from children under 13
• You operate in a regulated industry (finance, healthcare, legal)
• You've had a data breach
• You receive a complaint or ICO inquiry

The ICO offers free guidance for small businesses on their website. Take advantage of it.

Next steps

If your current website is failing the 10-point audit above, you have three options:

1. Fix it yourself using this guide and the ICO resources
2. Get your developer to fix it (most can if you ask specifically)
3. Get a redesign that bakes compliance in from the start

Most older websites have so many compliance issues that fixing them piecemeal costs more than rebuilding properly. If your website is more than 3 years old AND you're failing this audit, redesign is usually the right answer — and the broader 12 signs your business needs a website redesign will help you weigh it up.

Costs for a compliant redesign typically sit between £1,800 and £5,000 for small UK businesses — our honest Derby web design pricing guide breaks it down by business type, or use the free website cost calculator for an instant ballpark.

How Webgenix builds GDPR-compliant websites

Every site we deliver includes:

• ICO-compliant Privacy Policy and Cookie Policy templates customised to your business
• Properly-blocking cookie consent banner
• Forms with consent requirements built-in
• Double opt-in newsletter integration
• HTTPS as standard
• Documented data flows for your records

Get a free quote for your project → or learn more about our web design services for Derby businesses.

Learn more:

• UK small business website launch checklist →
• 12 signs your business needs a website redesign →
• Core Web Vitals guide for UK small businesses →

Disclaimer: This article is general guidance, not legal advice. UK GDPR compliance varies by industry and circumstances. For high-risk situations, consult a qualified data protection professional or solicitor.