Is Your Website GDPR Compliant? What Most Small Businesses Get Wrong
If your website has a contact form, a newsletter signup, or uses Google Analytics, UK GDPR applies to you. Not just to big companies. Not just to online retailers. To you.
Most small business owners know GDPR exists. Most assume their website is probably fine. And most, if they actually checked, would find gaps they didn't know were there.
This isn't about scaring you. It's about understanding what the rules actually ask for, recognising the areas where business websites most commonly fall short, and knowing where you stand — before someone else points it out.
What does GDPR actually require from your website?
GDPR isn't one single rule. It's a set of principles about how you collect, store, and use people's personal data. When it comes to your website, several of those principles translate into specific, practical requirements.
Your site needs to be transparent about what data it collects and why. Visitors need to be able to find that information easily. If you're using cookies or tracking tools, there are rules about consent. If someone fills in a form, there are rules about what you tell them. If you're collecting email addresses, there are rules about how you handle them.
The requirements aren't unreasonable — they're mostly about being honest and giving people a genuine choice. But the detail matters, and the detail is where most websites slip up.
Where most business websites fall short
The same issues come up again and again when we scan small business websites. They're not dramatic failures — they're quiet gaps that accumulate.
Cookie consent is the most common problem. Many sites either have no cookie banner at all, or have one that doesn't actually do what it's supposed to. A banner that says "by continuing to use this site you agree to cookies" isn't valid consent under UK law. And a banner that appears but doesn't block cookies until the visitor makes a choice isn't doing its job either.
Privacy policies are often missing, buried, or out of date. If your site collects any personal data — even just a name and email address through a contact form — you need a privacy policy that explains what you collect, why, and what rights people have. It needs to be easy to find, not hidden three clicks deep.
Form data handling is regularly overlooked. When someone fills in a contact form on your website, are they told what will happen with their information? Most forms don't include any kind of data notice, and most business owners have never thought about it.
Tracking scripts run without consent. Google Analytics, Facebook pixels, embedded maps, embedded videos — all of these can collect personal data, and many websites load them before any consent is given. Most business owners don't even know these scripts are on their site, because they were added during the original build.
The problem with checking it yourself
You could work through a GDPR checklist manually, but there are a few practical problems. You'd need to know which cookies your site actually sets — and unless you built the site yourself, you probably don't. You'd need to check whether your cookie banner is genuinely blocking non-essential cookies before consent, not just displaying a message. You'd need to verify that your privacy policy covers everything it's supposed to and is actually linked from the right places.
These aren't things you can see just by looking at your website in a browser. They require checking what's happening behind the scenes — what scripts are loading, what cookies are being set, and when.
What's actually at risk?
The ICO — the UK's data protection regulator — has the power to issue fines of up to £17.5 million. In practice, enforcement against small businesses tends to start with warnings and improvement notices rather than headline fines. But that's cold comfort if you're the one receiving the letter.
The more immediate risk is reputational. Customers notice when a website doesn't have a privacy policy, or when a cookie banner feels dodgy. It doesn't inspire confidence. And if you're competing against businesses that handle this properly, the contrast works against you.
Find out where you stand
The quickest way to know whether your website is meeting its GDPR obligations is to check it. GoWebCheck scans your site and reports specifically on cookie compliance, privacy policy presence, consent mechanisms, form data handling, and tracking scripts — alongside six other areas of website health.
You'll get a clear score, a list of what's missing, and plain-English explanations of what each issue means for your business. No jargon, no guesswork.
GoWebCheck provides automated website health checks for informational purposes. It is not a substitute for professional legal or compliance advice.