Get started

7 GDPR Myths That Are Costing UK Businesses Money

myths 8 min read Updated 2026-03-23

7 GDPR Myths That Are Costing UK Businesses Money

GDPR compliance is surrounded by misconceptions. Some are outdated (carryovers from the first anxious months after May 2018). Some are wishful thinking. Some are born from conversations with compliance consultants who benefit from fear. These myths are costing SMEs time and money because they either over-invest in unnecessary work or under-invest in areas that matter.

Here are seven persistent myths, what’s actually true, and what you should do instead.

Myth 1: “We’re too small for GDPR to apply”

This is the most persistent myth. A sole trader thinks GDPR is for banks and tech companies. A 5-person consultancy assumes it doesn’t apply to them. A café thinks a Wi-Fi login page is too trivial to count.

Reality: There is no size exemption under UK GDPR. It applies to any organisation processing personal data of UK residents, from sole traders upward. A one-person business with a website contact form is processing personal data and is in scope.

The only partial exemption relates to record-keeping: organisations with fewer than 250 employees don’t need to maintain detailed records of processing activities — unless the processing is regular, involves special categories of data (health, race, biometric), or poses a risk to individuals’ rights. In practice, most SMEs with a website meet the “regular processing” threshold because analytics and cookies run continuously.

What to do instead: Don’t use company size as an excuse to skip compliance work. Start with the basics: a privacy policy, cookie consent that actually works, and a process for handling data subject requests. These take a day or two, cost nothing, and cover 80% of what the ICO is looking for.

Myth 2: “We don’t collect personal data — we just have a website”

Many SMEs think personal data only means names and email addresses that customers explicitly provide. They assume their website is neutral and doesn’t “collect” anything.

Reality: If your website uses Google Analytics, sets cookies, has a contact form, or embeds any third-party script, you are processing personal data. IP addresses and cookie identifiers are personal data under UK GDPR. A visitor to your website who hasn’t given you their name has still provided personal data (their IP address, their device type, their browsing behaviour via analytics).

You’re processing personal data whether or not you explicitly collect it.

What to do instead: Audit your website for analytics, trackers, and scripts. Google Analytics alone means you’re processing the IP addresses and behaviour of every visitor. Add the data you collect via forms, email signups, and payment processing. This is your baseline. Build your privacy policy and consent mechanisms around the data you actually collect.

Myth 3: “We copied a privacy policy template, so we’re covered”

Many SMEs download a template, fill in a few blanks, and assume they’re compliant. The template is generic (“we process personal data”), and the filled-in version doesn’t reflect the business’s actual practices.

Reality: A template that doesn’t match your actual data processing is worse than useless — it’s actively misleading. If you say in your privacy policy that you don’t use analytics, but you use Google Analytics, you’re violating the transparency principle. If you say you delete data after 12 months but actually keep it indefinitely, you’re misleading customers and the ICO.

A privacy policy is a factual document. It must accurately reflect what your business does with personal data. A mismatched policy is evidence of non-compliance.

What to do instead: Use a template as a starting point, but customise it to reflect your actual practices. Audit what data you collect, where it goes, how long you keep it, and who you share it with. Then write a privacy policy that honestly describes these activities. It’ll be longer than a generic template, but it’ll be compliant.

Myth 4: “GDPR is an EU law — it doesn’t apply to UK businesses”

This myth comes from confusion about Brexit. Since the UK left the EU, some people think GDPR no longer applies to UK businesses.

Reality: UK GDPR is UK domestic law, retained and updated post-Brexit via the Data Protection Act 2018 and the Data (Use and Access) Act 2026. It applies to all UK businesses processing personal data of UK residents. It’s just as binding as any other UK law.

What’s changed: you’re no longer regulated by EU regulators. The ICO (Information Commissioner’s Office) is your regulator, not the European Data Protection Board or national EU authorities. And the rules themselves have been updated — the DUAA changed complaint handling, lawful basis provisions, and cookie consent rules.

If you also process data of EU residents (you have EU customers), you’re subject to the EU GDPR separately, creating dual compliance obligations. But UK GDPR absolutely applies to any UK business.

What to do instead: Treat UK GDPR as the legal baseline for your business. If you also serve EU customers, understand that the UK and EU rules are diverging slightly (see the UK GDPR vs EU GDPR guide for specifics).

Myth 5: “We got compliant in 2018 and haven’t changed anything”

Some businesses completed a compliance project in 2018 when the EU GDPR came into force and haven’t revisited it since. They assume their 2018 privacy policy and processes are still compliant.

Reality: The Data (Use and Access) Act 2026 is the most significant reform of UK data protection law since Brexit. It came into force in February 2026 and changed:

  • How complaints to the ICO are handled
  • Lawful basis provisions
  • Cookie consent requirements
  • The ICO’s enforcement powers and objectives

A privacy policy written in 2018 doesn’t reference the DUAA. It may use outdated language. It likely doesn’t mention the DUAA complaint handling framework (which is now required). Cookie consent mechanisms built in 2018 may not meet current standards.

Compliance isn’t a one-time project. It requires annual review at minimum.

What to do instead: Review your privacy policy now against the updated requirements. Update it to reflect the DUAA changes. Review your cookie consent mechanism and ensure it meets current standards (separate toggles, easy withdrawal, no pre-ticked boxes). Plan an annual review — every January or when you make significant changes to how you process data.

Myth 6: “The ICO only goes after big companies”

Many SMEs think the ICO’s enforcement focus is on multinational tech firms. A local business assumes they’re below the radar.

Reality: In 2025, the ICO issued record fines totalling over £20M. The largest fines were for large organisations (Capita, Advanced Computer Software, 23andMe, LastPass), but the trend is toward enforcement triggered by data breaches — and SMEs are disproportionately targeted by cyberattacks (81% of attacked businesses are SMEs).

The ICO’s stated approach is supportive for SMEs — helping businesses get it right rather than punishing small operators. In practice, this means most SME enforcement starts with reprimands or enforcement notices rather than fines. But it doesn’t mean immunity. If an SME suffers a breach and is found to have inadequate security measures, enforcement action follows.

The bigger shift: two-thirds of ICO fines in 2025 were for security failures, not marketing violations. This means the focus is on data breaches and inadequate protection measures — exactly where SMEs are most vulnerable.

What to do instead: Don’t assume you’re too small to be noticed. Focus on basic security: HTTPS, password protection for data systems, regular backups, and clear processes for handling breaches. These address the area where ICO enforcement is actually concentrated. And if you suffer a breach, handle it transparently — notify affected people and the ICO without delay.

Some businesses view privacy policies and consent mechanisms as bureaucratic requirements — necessary but not substantive. They tick the boxes without investing in actual compliance.

Reality: Privacy policies and consent mechanisms are the foundation of GDPR compliance. They’re how you demonstrate accountability — one of GDPR’s seven core principles. If you can’t articulate what you do with personal data (privacy policy) and you can’t show you got consent (functional consent mechanism), you can’t demonstrate compliance to the ICO.

More practically: privacy policies and consent set the terms of your relationship with customers. A clear policy signals professionalism and builds trust. A vague policy or a broken consent mechanism signals the opposite.

The ICO’s approach to SME enforcement often starts with reviewing these documents. If your privacy policy is vague and your consent mechanism is non-functional, you’ll be flagged early. Getting these right is how you stay off the ICO’s radar.

What to do instead: Invest in these properly. Your privacy policy should be specific to your business, reflect actual practices, and be reviewed annually. Your consent mechanism should actually block non-essential cookies and offer genuine choice (separate toggles, not a single “accept all” button). These aren’t box-ticking exercises — they’re the legal foundation of responsible data handling.

What to Do Instead

Move past these myths and focus on what actually matters:

  1. Privacy policy: Specific to your business, accurate, complete, dated, and reviewed annually.
  2. Cookie consent: Functional mechanism that blocks non-essential cookies until consent is given.
  3. Third-party disclosure: Every service embedded on your site that processes data is disclosed and has a lawful basis.
  4. Data subject requests: Simple documented process for handling requests within 30 days.
  5. Employee data: Staff privacy notice issued to employees.
  6. Security: Basic measures like HTTPS, password protection, regular backups.
  7. ICO registration: Most SMEs must register (costs £40–£60). Check your obligation and register if needed.

These fundamentals cover the compliance areas the ICO actually focuses on. They take a few days to implement and cost nothing. The myths above have probably cost your business more in unnecessary anxiety than actual compliance work.

For a structured approach, work through the GDPR compliance checklist — 20 testable items grouped by category. For a more thorough audit of your website and privacy policy, Bartram Web screens for these issues and delivers a prioritised action plan.

Stop worrying about being “too small” and start building a defensible compliance posture. It’s simpler than the myths suggest.

Last updated: 2026-03-23

Free newsletter

Get insights like this fortnightly

UK compliance rules are changing fast. Our newsletter covers what changed, what's coming, and what it means for your business.

Subscribe →

Free, fortnightly, no spam. Unsubscribe any time.

Want to check your compliance?

Find out where you stand — and get a prioritised action plan.

Screen your website →

More from this hub

DUAA 2026 — How the Data Use and Access Act Changes UK Data Protection

The Data Use and Access Act 2026 changed UK data protection rules in February. Here's what changed, who it affects, and what you need to do.

Read article →

GDPR Compliance Checklist for UK Small Businesses

20 testable GDPR compliance items grouped by category. Tick them off as you go. Most take less than an hour each to fix.

Read article →

How to Handle a Data Subject Access Request (DSAR)

A DSAR is a formal request for all the personal data you hold about someone. You have 30 days to respond. Here's how to build a simple process that doesn't require expensive tools.

Read article →