Who UK GDPR Applies To and What It Requires

The UK GDPR (General Data Protection Regulation) applies to any business that processes personal data of individuals in the United Kingdom, regardless of where the business is based. If your website collects visitor data through forms, analytics, cookies, or any other means, you are processing personal data and need to comply with these regulations.

Personal data covers any information that can identify a living individual directly or indirectly. This includes names, email addresses, phone numbers, IP addresses, location data, and more. The definition is intentionally broad, so most small business websites will fall under these requirements.

UK GDPR applies to UK businesses, EU businesses targeting UK individuals, and non-EU businesses that offer goods or services to UK residents. The Information Commissioner's Office (ICO) is the UK regulator responsible for enforcement. They have the power to issue fines of up to £17.5 million or 4% of global annual turnover, whichever is higher, for serious breaches. For smaller breaches, fines can still be substantial, making compliance worthwhile for businesses of any size.

Lawful Basis for Processing Data

Every time you collect or process personal data, you must have a lawful basis for doing so. UK GDPR lists six lawful bases, and the most relevant for most small business websites are consent, contract, and legitimate interests. Choosing the correct lawful basis depends on why you are collecting the data and what you do with it.

  • Consent: The individual has given clear, specific, and informed consent to the processing. Consent must be opt-in, not pre-ticked. It must be as easy to withdraw as it is to give. You must keep a record of when and how consent was given, including what the user agreed to and when.
  • Contract: Processing is necessary to fulfil a contract with the individual, or to take steps at their request before entering a contract. This applies when someone purchases a product or service from you, such as processing their delivery address to fulfil an order.
  • Legitimate interests: Processing is necessary for your legitimate interests, provided those interests are not overridden by the individual's rights. This requires a balancing test and is not automatic. You must document your reasoning for using this basis.

For a contact form submission, legitimate interests or contract are typically the appropriate basis. For a marketing newsletter, consent is required. For website analytics, legitimate interests with appropriate safeguards is often applicable, though you should configure your analytics to minimise data collection where possible.

If you operate a booking system on your website, there are specific considerations around what data you collect and how long you retain it. A practical guide to booking system GDPR compliance covers these points in more detail.

Your Website Privacy Notice

Your website must have a privacy notice that tells visitors what data you collect, why you collect it, how long you keep it, who you share it with, and how to exercise their rights under UK GDPR. The ICO provides a generator at ico.org.uk that produces a starting privacy notice, though you should adapt it to your specific practices rather than using it as a template unchanged.

At minimum, your privacy notice must include your business name and contact details, the lawful basis for each processing activity, how long data is retained, whether data is transferred outside the UK and the safeguards in place, the data subject's rights under UK GDPR, the right to lodge a complaint with the ICO, and if you use automated decision-making or profiling, information about the logic involved.

Place a link to your privacy notice in obvious places: in your website footer, in your email footers, and before any form that collects personal data. Users should not have to hunt for this information.

Cookie Consent Management

Cookies that are not strictly necessary for the website to function require consent under UK GDPR and the Privacy and Electronic Communications Regulations (PECR). The only cookies that do not require consent are those that are strictly necessary for the service the user has explicitly requested.

A shopping cart cookie is strictly necessary. An analytics cookie is not. A session management cookie that keeps users logged in during a service request is typically considered strictly necessary, but you should evaluate each cookie on your site individually.

Implement a cookie consent banner that meets these requirements. The banner must not use pre-ticked boxes or other dark patterns designed to trick users into accepting cookies. It must require affirmative action to accept non-essential cookies. It should allow users to accept or reject categories of cookies separately rather than forcing an all-or-nothing choice. The banner must not block content until consent is given, as this practice (sometimes called a cookie wall) is not compliant with current guidance.

Use a compliant cookie consent management platform such as Cookiebot, OneTrust, or Termly rather than building your own solution. The legal requirements are detailed, change periodically, and building a compliant solution from scratch is rarely the best use of a small business owner's time.

Data Subject Rights Under UK GDPR

UK GDPR gives individuals specific rights over their data. Your website and business processes must be able to handle these requests within one month of receiving them. Failing to respond to these requests is itself a breach of UK GDPR.

  • Right of access: Individuals can request a copy of all personal data you hold about them. This is called a Subject Access Request (SAR). You must provide the data in a readable format, typically CSV or PDF, and you cannot charge a fee for handling this request (unless the request is manifestly unfounded or excessive).
  • Right to rectification: Individuals can request corrections to inaccurate personal data. You should update your records promptly and confirm the changes have been made.
  • Right to erasure: Also called the right to be forgotten. Individuals can request deletion of their data when it is no longer necessary for the purpose it was collected, when consent is withdrawn, or when processing is unlawful. There are some exemptions, such as legal obligations to retain certain data.
  • Right to data portability: Individuals can request their data in a machine-readable format, such as JSON or CSV, where processing was carried out by automated means and based on consent or contract.
  • Right to object: Individuals can object to processing based on legitimate interests or direct marketing. You must stop processing for direct marketing immediately upon objection.

Document how you would handle each type of request before you receive one. Have a process for verifying the identity of the requester, which is required before providing personal data to anyone. A simple response template can help ensure you meet the one-month deadline.

Data Breach Notification Requirements

If a data breach occurs that is likely to result in a risk to individuals, you must notify the ICO within 72 hours of becoming aware of it. If the breach presents a high risk to individuals, you must also notify the affected individuals directly without undue delay. This is an area where preparation matters significantly.

Document all data breaches, even minor ones, and the actions taken in response. Not every breach requires ICO notification, but all must be recorded in your breach log. Having a clear process for identifying, assessing, and responding to breaches reduces the risk of missing critical deadlines.

If you store personal data in the cloud, ensuring you have appropriate backup procedures in place can reduce the impact of incidents and support faster recovery. A practical guide to cloud backup solutions covers what to look for when choosing a provider.

Your Obligations for Third-Party Services

When you use third-party services that process personal data, such as email marketing platforms, analytics tools, CRM systems, or cloud storage, you remain responsible for that data under UK GDPR. You must ensure the third party provides adequate data protection and that you have a Data Processing Agreement (DPA) in place with them.

Most reputable service providers have DPAs available that you accept when agreeing to their terms of service. You should review and accept these DPAs for each service you use that processes personal data. Check your account settings or the provider's privacy documentation to locate the DPA acceptance process.

Your privacy notice should list every third-party service you use that processes personal data, what data they receive, and why. This transparency helps users understand who handles their information. Use a tool like builtwith.com or similar services to audit which third-party services are active on your website, as many websites accumulate more services over time than their owners realise.

Practical Steps to Take Now

If your website is not currently compliant, the minimum steps to take are as follows. Working through these items systematically will give you a solid foundation for UK GDPR compliance.

  • Audit your data: List every form on your site, what it collects, where the data goes, and who has access to it. Map your entire data flow from collection to storage and any third-party sharing.
  • Write or update your privacy notice: Use the ICO generator as a starting point and adapt it to your actual practices. A generic privacy notice that does not reflect your real data handling is not compliant.
  • Add a cookie consent banner: Use a reputable CMP and configure it to match your actual cookie usage. Configure it to only set non-essential cookies after consent is received.
  • Create a SAR process: Document how you would handle a data access request, including identity verification steps and your response format.
  • Sign DPAs with your third-party providers: Check each provider's privacy or data processing documentation and complete any required acceptance steps.
  • Encrypt personal data at rest: Ensure servers storing personal data use full disk encryption or equivalent protection. This is particularly important for laptops and mobile devices that could be lost or stolen.
  • Delete data you no longer need: If you have personal data that serves no current purpose, delete it. Holding onto data you no longer need increases your risk and your compliance burden.

Security Considerations for Small Businesses

UK GDPR requires appropriate technical and organisational measures to protect personal data. This means your security measures should be proportionate to the risks involved, not a one-size-fits-all approach. A small website holding names and email addresses does not need the same security as a healthcare provider handling sensitive medical data.

That said, basic security practices matter for every business. Use strong, unique passwords for all accounts. Enable two-factor authentication wherever it is available. Keep software, plugins, and systems updated. Back up your data regularly and test that backups can actually be restored.

For businesses handling payment data, PCI DSS compliance is a separate requirement that operates alongside UK GDPR. If you process credit card information, understanding PCI DSS compliance for small businesses is worth the time investment.

If you are considering formal security certification, two common UK schemes are Cyber Essentials and ISO 27001. Each has different requirements and suits different types of businesses. A comparison of ISO 27001 versus Cyber Essentials can help you decide which path may be appropriate for your situation.

Reviewing and Maintaining Compliance

Compliance is not a one-time task. Review your privacy notice and data practices whenever you add a new service that processes personal data, change the way you collect or use data, or if guidance from the ICO changes. Annual reviews are sensible even when nothing has changed.

The ICO website at ico.org.uk has detailed guidance specifically written for small businesses. This guidance is free to access and worth reading in full if you are handling compliance yourself. For more complex situations, or if you are unsure whether your setup meets requirements, consulting a qualified data protection professional can provide clarity.

If you handle email marketing or use email to communicate with customers, understanding email authentication protocols can reduce the risk of your emails being spoofed or marked as spam. An explanation of SPF, DKIM, and DMARC covers what these protocols do and how they protect your business communications.