How to Make Your Website GDPR Compliant — A Practical Guide for UK SMEs

If your website has a contact form, uses Google Analytics, sets cookies, or collects email addresses for a newsletter, you’re processing personal data under UK GDPR. There’s no size exemption and no “too small for compliance” get-out clause. A one-person sole trader with a website contact form is processing personal data just as much as a 50-person consultancy.

The good news: you don’t need a lawyer to fix this. You need to be systematic. This guide walks through eight practical steps to move from a position of partial or non-compliance to a defensible state.

Why This Matters

The Information Commissioner’s Office fined businesses over £20M in 2025. Two-thirds of those fines were for security breaches — and that’s the exact vulnerability most SMEs share. A breach that exposes inadequate data protection invites ICO enforcement regardless of company size. Beyond enforcement risk, non-compliant practices erode customer trust. Transparency builds it.

The Data (Use and Access) Act 2026 came into effect in February and changed several rules. Privacy policies written before that date are likely now non-compliant.

Step 1: Audit Your Data Processing

You can’t write a privacy policy until you understand what data you actually collect, where it goes, and how long you keep it.

Start by listing every type of personal data:

• Information you collect directly: Contact forms, newsletter signups, account creation, feedback surveys, webinars
• Information you collect indirectly: Google Analytics (IP addresses, device type, pages visited), cookies and trackers (behaviour, engagement), third-party scripts embedded in your site (Facebook Pixel, LinkedIn insights, HubSpot forms)
• Information you process internally: Customer email lists, payment histories, support tickets, staff records

For each type, document:

• What data you collect
• Why you collect it (the “lawful basis” — usually “legitimate interest,” “consent,” or “contractual performance”)
• Where you store it
• Who you share it with (if anyone)
• How long you keep it before deleting

Write this down. You’re building the foundation for your privacy policy and demonstrating accountability — one of GDPR’s seven principles.

Step 2: Update Your Privacy Policy

Most SME websites have a privacy policy. Most are incomplete.

Check yours against these 12 requirements. Your privacy policy must:

1. Name your data controller — That’s you. Your business name and contact details.
2. Explain what data you collect — Be specific. “Contact information” is vague. “Name, email address, phone number via the contact form” is clear.
3. Explain why you collect it — Your lawful basis. Common ones: “to respond to your enquiry,” “with your consent for marketing,” “to provide the service you’ve purchased.”
4. Disclose all third-party data sharing — Every script embedded on your site, every service you feed data into. Google Analytics processes your users’ data. So does your email platform. These must be disclosed.
5. State retention periods — How long you keep each type of data before deleting it. “We keep email enquiries for 12 months unless you ask us to delete them” is clear. “We keep it as long as needed” is vague and non-compliant.
6. List data subject rights — People have the right to access, correct, delete, object to processing, and request portability of their data. Explain how they exercise these rights and who they contact.
7. Explain the complaints route — If someone is unhappy with how you handle their data, they can complain to the Information Commissioner’s Office. Provide the ICO’s contact details.
8. Disclose automated decision-making — If you use any AI or automated systems to make decisions about individuals (scoring, filtering, ranking), you must disclose this.
9. Explain international data transfers — If you store data outside the UK, state where.
10. State your ICO registration number — Most UK businesses must register with the ICO (see Step 8). Include the number when you register.
11. Explain DUAA complaint handling — As of February 2026, you must include information about how complaints are handled under the updated DUAA framework.
12. Include a date — When was this policy last updated? Outdated policies are non-compliant. Review and update annually at minimum.

Many privacy policies copy templates that don’t reflect the business’s actual practices. If your policy doesn’t match what you actually do with data, it’s misleading — which is itself a transparency violation.

Update your policy to be specific to your business, date it, and make it accessible from every page of your website (link in the footer works).

Step 3: Implement or Fix Your Cookie Consent

This is where most SMEs stumble. A cookie banner alone isn’t enough. The mechanism must actually block non-essential cookies until consent is given.

Check your current setup:

• Does Google Analytics fire before you’ve clicked anything? Fail.
• Do third-party scripts load before consent? Fail.
• Is the “accept all” button much bigger than “reject”? Problematic — GDPR requires genuine choice.
• Can you reject tracking cookies and still use the website? Essential. You must not punish people for rejecting non-essential cookies.

If your banner doesn’t block cookies, it’s cosmetic — you’re still processing without consent, which violates both GDPR and the Privacy and Electronic Communications Regulations.

How to fix it:

• Use a consent management platform (CMP) like Osano, iubenda, or Cookiebot. These integrate with your website and actually prevent scripts from firing until consent is given.
• Alternatively, if you have developer access, implement a consent mechanism that checks for consent before any third-party script or tracking cookie loads.
• Offer genuine choice: separate toggles for “Essential,” “Analytics,” “Marketing,” and “Functional.” Don’t hide reject buttons or make acceptance the default.

Test it: use your browser’s developer tools to check network requests. If Google Analytics or Facebook Pixel fire on page load without interaction, it’s broken.

Step 4: Audit Your Third-Party Scripts

Every script embedded on your site is a data sharing relationship. If you use Google Analytics, you’re sharing IP addresses and browsing behaviour with Google. If you embed a HubSpot form, you’re sharing submitted data with HubSpot. These must be disclosed in your privacy policy and must have a lawful basis.

Common third-party services:

• Analytics: Google Analytics, Mixpanel, Hotjar
• Marketing: Facebook Pixel, LinkedIn Insight Tag, Google Ads conversion tracking
• Forms and CRM: HubSpot, Typeform, Mailchimp
• Chat: Intercom, Drift, Zendesk
• Video: Vimeo, YouTube embeds

Make a list of every third-party service loading on your site. For each one:

• Check that it’s disclosed in your privacy policy
• Verify you have a lawful basis for the data sharing
• Review the service’s own privacy policy to understand what data they process

Many SMEs have scripts firing that were never documented. Audit your site and clean this up.

Step 5: Ensure HTTPS

Data in transit must be encrypted. Use HTTPS (not HTTP). This is also a security requirement under GDPR Article 32. Most websites now do this automatically — check that your site shows a padlock in the browser address bar.

Step 6: Prepare a DSAR Process

A Data Subject Access Request (DSAR) is a formal written request from someone asking you to hand over all the personal data you hold about them. You have 30 days to respond. Most SMEs have no process for this and panic when one arrives.

Build a simple process:

1. Designate a contact. Who receives DSARs? Publish this contact on your website (in your privacy policy).
2. Verify identity. When a DSAR arrives, verify the person is who they claim to be (ask for ID, recent proof of address, or something you know about them).
3. Locate the data. Once verified, find all personal data you hold about that person. Check email, your CRM, your database, your analytics tool, your backup systems.
4. Compile and deliver. Assemble the data in a clear, portable format (CSV, PDF, email). Send it within 30 days. You can charge for copies if requests are manifestly unfounded or excessive, but first requests are usually free.

You don’t need expensive tooling. A spreadsheet and a documented process are enough. What matters is that you can respond within the 30-day window without scrambling.

Step 7: Address Employee Data

If you have employees, you process HR data — employment contracts, payroll records, health information, performance reviews. This is personal data under UK GDPR and requires the same protection as customer data.

Create a staff privacy notice explaining:

• What employee data you hold and why
• How long you keep it
• Who you share it with (payroll provider, accountant, solicitor if needed)
• Their rights under GDPR

Review your data retention policy. Don’t keep personnel records indefinitely. A common standard: keep employment records for 6 years after someone leaves (for tax and legal reasons), then delete unless there’s a specific reason to retain.

If you use external providers (payroll, HR software, background check services), you need a Data Processing Agreement with each one. Most providers offer standard agreements on request — ask for their DPA template.

Step 8: Register with the ICO

Most UK organisations processing personal data must register with the Information Commissioner’s Office. Registration is affordable (£40–£2,900 depending on turnover and employee count; most SMEs pay £40 or £60) and required.

Check your obligation using the ICO’s self-assessment tool. If you must register, do it at ico.org.uk/registration.

Once registered, note your registration number and include it in your privacy policy.

How to Check It Worked

Audit your completed work against this checklist:

• Privacy policy is published on your website and accessible from every page
• Privacy policy names your data controller with contact details
• Privacy policy explains all types of personal data you collect
• Privacy policy discloses all third-party services that process data
• Privacy policy states retention periods for each data type
• Privacy policy lists data subject rights and how to exercise them
• Privacy policy includes the ICO complaints route
• Privacy policy is dated and reviewed at least annually
• Cookie consent mechanism is in place and actually blocks non-essential cookies
• Essential, analytics, and marketing cookies are separately toggleable
• You can reject cookies without losing website functionality
• Third-party scripts are documented and disclosed
• Your website uses HTTPS
• You have a named contact for Data Subject Access Requests
• You have a documented process for handling DSARs within 30 days
• Staff privacy notice is issued to employees
• Data Processing Agreements are in place with external service providers
• Employee data retention policy is documented
• You are registered with the ICO (if required)

What’s Next

If you’re starting from scratch, work through steps 1–8 above. Most of this work takes a day or two for a small business. The biggest time sink is usually updating your privacy policy, but using a template that you then customise to your actual practices speeds this up.

Once you’ve completed the basics, a GDPR compliance screening from Bartram Web reveals what you might have missed — things an external audit catches that internal reviews don’t. We scan your website, check your privacy policy against the 12-point standard, test your cookie consent, identify all third-party trackers, and deliver a prioritised action plan.

The GDPR compliance checklist gives you 20 testable items you can tick off as you go. If you want to understand the broader employment data handling piece separately, that covers staff privacy notices and HR-specific obligations.

Get this right now and you’re not vulnerable to enforcement action later.

Last updated: 2026-03-23