GDPR usually comes up at a slightly awkward moment. That catches a lot of people out, especially when trying to maintain GDPR compliance for small business websites that were put together quickly.<\/p>\n
This breaks down what needs to be in place, without the legal jargon that tends to make people switch off halfway through. You’ll find privacy policy requirements, contact form rules, the mailing list trap most businesses fall into, and what changed in 2026.<\/p>\n
If your site collects things like names, email addresses, or phone numbers, GDPR kicks in. Those rules cover how you collect that information, how you use it, and how long you keep it.<\/strong><\/p>\n In practice, that includes even very simple setups, even a one-page site with a \u2018call me back\u2019 form or a basic booking calendar. If someone can type their details into your site, even just a \u2018call me back\u2019 box, that counts. It doesn\u2019t have to be a complex system. UK GDPR is enforced by the ICO and applies to all UK businesses regardless of size. There’s no minimum threshold.<\/p>\n Yes. A privacy policy is a legal requirement the moment your website collects any personal data.<\/strong><\/p>\n UK GDPR and the Data Protection Act 2018 require you to publish a privacy policy. It must cover what data you collect, why you hold it, how long you keep it, and who you share it with. Put a link to it in your footer, and add a second link near any form on the page. Copying a privacy policy from another website and leaving it as-is is a common shortcut. But it\u2019s also where a lot of sites fall down. If it doesn\u2019t reflect what you do, it won\u2019t hold up. It needs to match what you actually do in practice. It\u2019s quite common to see policies mentioning tools or services the business doesn\u2019t even use anymore, often because the original version was copied and never revisited.<\/p>\n At minimum, your policy must name the data controller, that’s you. It also needs your lawful basis for processing, how long you keep data, and how people can request its deletion. The ICO has a clear guide if you’re writing your own.<\/p>\n For a standard enquiry form, where you’re only using the data to reply, a checkbox is not required. A link to your privacy policy is.<\/strong><\/p>\n UK GDPR requires a “lawful basis” for every type of data processing. In most everyday cases, like replying to an inquiry, \u2018legitimate interests\u2019 is the basis people rely on. It\u2019s the practical option, and usually the correct one. You don’t need their explicit consent. What you need is a short statement near the form. Something like: “We’ll use your details to respond to your message. See our privacy policy.”<\/p>\n If you plan to use that data for anything else, adding them to a mailing list, sending marketing or sharing with third parties, you need explicit consent. A standalone checkbox on the form is the right way to get it.<\/p>\n No, a contact form submission does not give you permission to send marketing emails.<\/strong><\/p>\n This is where a lot of small businesses slip up, especially after a busy week of enquiries when it\u2019s tempting to add everyone into a mailing list. Someone fills in your contact form asking for a quote. You reply, maybe send a follow-up a few days later, and then add them to your newsletter list while you\u2019re tidying up your inbox at the end of the week. That extra step is where the issue starts. That requires separate, explicit consent. The original enquiry form did not provide it. This tends to happen gradually rather than deliberately, especially when you\u2019re trying to make the most of incoming enquiries.<\/p>\n Pre-ticked boxes won\u2019t cut it. And hiding consent in your terms and conditions is just as ineffective. You need a clear, standalone opt-in, usually a separate unticked checkbox that explicitly mentions marketing emails. Anything less tends to fall into a grey area. If you plan to use someone’s data for anything beyond replying, get separate permission.<\/p>\n The Data (Use and Access) Act 2025 came into force on 5 February 2026. It updated UK GDPR in ways small businesses should know about.<\/strong><\/p>\n The main change is a new category called \u2018recognised legitimate interests\u2019, a seventh option for specific purposes. These cover areas like fraud prevention and network security, where organisations can process data without running a full Legitimate Interests Assessment. For most small business websites, especially ones just handling enquiries, you\u2019ll probably never notice this change in day-to-day use. It\u2019s more relevant to businesses dealing with things like fraud checks or network security.<\/p>\n But the ICO updated its official guidance on 23 March 2026 to reflect the new legislation. Any privacy policy written before that date may now be partially out of date. If your policy hasn\u2019t been reviewed recently, it\u2019s worth a quick check, especially if it was written before 2026 and hasn\u2019t been touched since.<\/p>\n If you\u2019re not completely sure your site covers all of this right now, run it through our free GDPR compliance for small business websites checker. It takes two minutes and tells you exactly what your website has and what’s missing.<\/p>\n Check your website now \u2192<\/a><\/p>\n Cookies and tracking tools fall under a separate set of rules. We’ve covered the full picture in Do I Need a Cookie Banner on My Website?<\/a> If you’re on Wix specifically, Is My Wix Cookie Banner GDPR Compliant?<\/a> covers the specific gaps in Wix’s built-in cookie tool.<\/p>\n The ICO can issue fines of up to \u00a317.5 million or 4% of annual turnover, but for most small businesses the realistic risk looks different.<\/strong><\/p>\n ICO enforcement focuses on organisations causing real harm; data breaches, deliberate misuse, or persistent non-compliance after a formal warning. For most small businesses, the issue shows up in more practical ways before anything else. Like a customer asking for their data, or a complaint you\u2019re not quite prepared to handle. A data subject access request you’re not set up to deal with. Or more subtly, it can chip away at trust, especially if someone notices gaps in how your site handles their information.<\/p>\n Once you strip it back, GDPR at a small business level is manageable. It\u2019s just not always obvious where to start. It\u2019s rarely ignored completely, it just gets pushed down the list because the rules feel unclear.<\/p>\n Duport builds professional websites for UK small businesses. Each site includes the legal pages you\u2019ll need from the start; privacy policy, cookie notice, and terms and conditions. They\u2019re based on how your business actually runs, rather than a generic template design.<\/p>\n Duport’s website build starts from \u00a3360.<\/a> Mention this article when you get in touch and we’ll honour the \u00a3144 rate.<\/p>\n Not sure whether it’s worth handing over? We’ve covered the full decision in Should I Hire Someone to Build My Website?<\/a><\/p>\n Most businesses that process personal data need to pay the ICO’s annual data protection fee. It starts at \u00a340 per year for small organisations and renews annually.<\/p>\nDoes my contact form need a privacy policy?<\/h2>\n
Do I need a checkbox on my contact form?<\/h2>\n
Can I add someone to my mailing list after they contact me?<\/h2>\n
2026 Updates: GDPR compliance for small business websites<\/h2>\n
What happens if my website isn’t GDPR compliant?<\/h2>\n
Want a website that’s built compliantly from the start?<\/h2>\n
This article is for general guidance. For advice specific to your business and data processing activities, speak to a qualified solicitor or data protection specialist.<\/em><\/h6>\n
\nFAQs<\/h2>\n
\n
Does a small business need to register with the ICO?<\/h3>\n<\/li>\n<\/ul>\n