5 Compliance Myths Small Businesses Still Believe
Compliance myths persist because they’re usually based on a grain of truth. You do need a privacy policy — but a privacy policy alone doesn’t make you compliant. Compliance is ongoing — but you don’t need to update everything simultaneously. Small businesses do face different challenges — but not exemptions.
These five myths are the ones that trap businesses in non-compliant states despite being aware of compliance requirements. Once you see them clearly, you can move past them.
Myth 1: “We’re Compliant Because We Have a Privacy Policy and a Cookie Banner”
The truth: A privacy policy and cookie banner address two narrow parts of one regulation (UK GDPR). They say nothing about five other regulatory domains.
Even if your privacy policy is comprehensive and your cookie banner is functional — both big “ifs” — you’ve addressed:
- Privacy policy: GDPR data transparency requirements
- Cookie banner: PECR consent requirement
You’ve said nothing about:
- Accessibility: Is your privacy policy accessible to screen readers? Is your cookie banner keyboard-navigable? 97% of websites have WCAG failures.
- Employment law: If you have employees, their data is personal data under GDPR — do you have an employee privacy notice? Do your contracts reflect the April 2026 day-one rights changes?
- AI compliance: If you use any AI tools (ChatGPT, Jasper, recruiting platforms), do you understand your obligations under the EU AI Act?
- Cybersecurity: How is your personal data secured? Do you have incident response procedures? 81% of SMEs have experienced a cyberattack.
- Cookie functionality: Does your cookie banner actually block cookies before consent, or is it cosmetic? 70%+ of sites with banners fire trackers before consent anyway.
Compliance in one area creates a false sense of security across all areas. You’re not compliant — you’re compliant with part of one regulation while exposed across five others.
What to do instead: Use a compliance scope checklist. Identify which regulations actually apply to your business (see Which Regulations Apply to Your Website), then assess each one separately. You’re aiming for “good enough” across all applicable domains, not perfection in one.
Myth 2: “Compliance is a One-Time Project”
The truth: Compliance is ongoing. Regulations change throughout the year, and you need to stay current.
The past six months illustrate this perfectly:
- February 2026: DUAA reforms UK GDPR cookie consent requirements and complaint handling
- April 2026: Employment Rights Act Phase 1 — day-one rights, new statutory sick pay rules
- June 2026: DUAA full implementation + EAA one-year anniversary
- August 2026: EU AI Act high-risk deadline
- October 2026: Employment Rights Act Phase 2 + harassment duty
- January 2027: Unfair dismissal qualifying period drops to 6 months + sustainability reporting
This isn’t an unusual year. This is the baseline from now on. Regulations don’t stay still.
Compliance as a “one-time project” mindset leads to policies becoming stale. Your privacy policy from 2020 is almost certainly non-compliant with current requirements. Your employment contracts from 2023 don’t reflect the 2026 changes. Your website accessibility assessment from 2024 doesn’t account for evolving WCAG standards.
What to do instead: Treat compliance as ongoing hygiene, not a project. Set a calendar reminder for an annual compliance review. Each year, check: Have the regulations changed? Have your business activities changed? Are your policies current? Are your technical measures still working?
Subscribe to regulatory updates. The ICO publishes updates, the NCSC publishes security alerts, and GOV.UK publishes employment law changes. Or subscribe to our fortnightly newsletter which personalises regulatory updates relevant to your business.
Myth 3: “We’ll Get to It When We Have Time”
The truth: Regulatory deadlines don’t wait for quiet periods. The cost of reactive compliance is 3–5x the cost of proactive compliance.
This myth is rooted in experience — most SMEs do have busy periods and quiet periods, and it’s tempting to defer compliance work to the quiet times. The problem: quiet times rarely arrive, and regulatory enforcement doesn’t wait.
Here’s the real cost comparison:
Proactive compliance: You implement a privacy policy, update your cookies, add accessibility fixes. Total cost: 4–8 weeks of your time or £2–5K in external support.
Reactive compliance: You receive an ICO complaint or a data subject access request, then discover non-compliance. Cost: emergency legal fees, policy rewrites, potential fines, management time. Total cost: £5–20K+ and 2–3 months of management attention.
If a regulatory action triggers an investigation, it doesn’t just cover the issue that was reported — it often reveals non-compliance across multiple domains. An ICO investigation following a breach might uncover cookie violations, privacy policy gaps, and employee data handling failures.
The “best time” to address compliance was six months ago. The second-best time is now. Deferring it doesn’t reduce cost — it multiplies it.
What to do instead: Start now, not in a quiet period. Phase the work across three months (see How to Prioritise Digital Compliance for a sequencing framework). Quick wins in Phase 1 take 4–6 weeks and dramatically reduce your visible exposure. Phase 2 takes 8–12 weeks and addresses your highest-risk areas.
Myth 4: “Free Tools Can Handle Compliance”
The truth: Free tools (automated scanners, templates, self-assessment checklists) identify problems but don’t solve them.
Free compliance tools are useful — they’re the reason you know you have accessibility failures, cookie issues, or privacy policy gaps. But there’s a gap between “we know there’s a problem” and “we know what to do about it.”
A free accessibility scanner might tell you that you have 50 WCAG failures. But which 50 do you fix first? Some are easy and high-impact; others are complex and affect a small percentage of users. Which order maximises your risk reduction with limited resources?
A free cookie compliance checker might tell you that your site fires trackers before consent. But which trackers are worth the effort to remove versus which are customer-critical? What’s the right consent tool for your site? How do you configure it to actually work?
A privacy policy template might give you the right structure, but does it reflect your actual data processing? Do you know which lawful bases apply to your specific processing? Have you identified all third-party data sharing?
The gap between “scan results” and “knowing what to do” is exactly where Bartram sits. Free tools identify problems; professional screening contextualises findings, assesses legal implications, prioritises by risk, and produces actionable remediation plans.
What to do instead: Use free tools as a starting point — they’re useful for identifying what’s broken. But if you’re genuinely interested in reducing compliance exposure efficiently, get professional screening at some point. A single comprehensive assessment across all applicable domains gives you a prioritised action plan, tells you which fixes are urgent and which can wait, and often reveals cross-domain risks that point-solution tools miss.
Free tools are good for awareness. Professional screening is necessary for action.
Myth 5: “Our Industry is Different — These Regulations Don’t Really Apply to Us”
The truth: The core regulatory frameworks apply across all sectors. Some sectors have additional requirements, but exemptions are rare.
This myth shows up in different forms depending on the sector:
- “We’re an education provider — GDPR doesn’t apply to schools.” (It does; schools process student data)
- “We’re a hospitality business — the Equality Act doesn’t apply to restaurants.” (It does)
- “We’re a professional services firm — employment law is for bigger companies.” (It’s not; you have the same obligations)
- “We’re a tech startup — we’re too innovative for old regulations like GDPR.” (GDPR applies to all sectors)
The only sector-specific partial exemptions are:
- EAA accessibility: Microenterprises (< 10 employees, < €2M turnover) have some exemptions from the EAA’s accessibility requirements, but these are narrower than most assume — they don’t exempt all digital services.
- UK GDPR record-keeping: Organisations under 250 employees don’t need detailed data processing records unless processing is regular, involves special category data, or poses a risk. Most SMEs exceed the “regular processing” threshold anyway.
The core obligations — privacy policies, consent, data security, accessibility, employment rights, fair hiring practices — apply across all sectors.
What varies is implementation. A healthcare provider handles more sensitive data than a marketing agency, so healthcare compliance work is more intensive. A manufacturing business with 100 employees needs more employment law infrastructure than a 3-person consultancy. But these are differences in degree, not in applicability.
What to do instead: Stop looking for a sector exemption and start implementing the baseline. Even if your sector has some variations, the best approach is: (a) understand the core frameworks, (b) implement baseline compliance, (c) then layer on any sector-specific requirements. You’re not exempt — you’re just working at a different scale.
What to Do Now
These myths are why so many SMEs remain non-compliant despite being aware of compliance. Once you see them clearly, you can move past them.
The first step is moving from “we’re probably fine” or “we’ll get to it eventually” to “we know exactly what we’re responsible for and we have a plan.”
To stay informed about regulatory changes relevant to your business, subscribe to our fortnightly newsletter.
To turn that profile into an action plan, get a complete compliance screening that identifies gaps across all applicable domains and prioritises remediation by risk and cost.
Compliance isn’t about perfection. It’s about seeing clearly, acting strategically, and building hygiene into your operations. Stop believing the myths. Start with reality.