If you run a business website in England, or anywhere else in the UK, GDPR applies to you. It came into effect when the UK left the European Union and mirrors the original EU regulation closely, so the rules will feel familiar if you have read anything about GDPR before. Since 2018, these data protection rules have reshaped how organisations collect, store and use personal data, and they carry serious consequences for those who fall short. For small and family-run businesses, the rules can feel overwhelming, but compliance doesn’t have to be complicated or expensive.
This guide breaks down what GDPR actually means for your website, what cookie consent requires and how to get set up without the headache.
If your website collects any information from visitors (names, email addresses, IP addresses or even just cookie data) then GDPR very likely applies to you.
Its reach is broader than many business owners realise. It applies to any UK-based organisation that processes the personal data of people in the UK, regardless of how small the business is. That includes a local florist collecting email addresses for a newsletter, or a family-run B&B taking bookings through their website. If you have a contact form or enquiry page, or any kind of analytics running on your site, personal data is being collected.
If you also have customers or website visitors in the EU, the original EU GDPR applies to those interactions as well. For most England-based small businesses though, UK GDPR is the primary regulation to focus on. The two are closely aligned, so meeting one largely means meeting the other.
There are some narrow exceptions, such as data processed purely for personal or household use, but for the vast majority of small business websites the rules apply in full.
One of GDPR’s core requirements is that you must have a valid legal reason (known as a “lawful basis”) for every type of personal data you collect and process. There are six recognised bases, but for most small businesses the three most relevant are:
Consent comes with the strictest requirements. It must be freely given, specific and unambiguous, which means pre-ticked boxes or “by using this site you agree” notices are not good enough. People must actively opt in.
The Information Commissioner’s Office (ICO), the UK’s data protection regulator, has clear guidance on lawful bases if you want to read the official breakdown.
Cookies are where many small business websites fall down, often unintentionally. In the UK, cookie consent is governed by the Privacy and Electronic Communications Regulations (PECR), which sit alongside UK GDPR. Under PECR, you must obtain informed, opt-in consent from visitors before setting or accessing most cookies on their devices.
This includes:
The only cookies exempt from needing consent are “strictly necessary” ones, meaning those required for your site to function, such as session cookies that keep a shopping basket active.
A compliant cookie set-up must:
This is where a proper cookie consent tool makes a real difference.
For small and family-run businesses, we always recommend CookieYes as the go-to solution for cookie consent. It has over one million active installations on WordPress alone and, for smaller businesses, there is a free plan available that covers the basics for most small websites.
CookieYes handles the hard work for you:
The free plan supports up to 5,000 pageviews per month, which is more than enough for most small business websites. For businesses running on WordPress, the plugin takes just minutes to set up with no coding required. Get started with CookieYes for free.
We always encourage our clients to set up their own CookieYes account rather than relying on their web developer’s. If your site is connected to a developer’s account and you part ways with them, you could lose access to your consent logs, cookie scanning and the ability to update your banner, all of which keep you compliant.
This has become more pressing following a recent CookieYes update. From March 2026, free accounts are limited to one connected site. Any developer who connected multiple client sites to a single free account will need to upgrade or disconnect those additional sites. If your site is affected, your banner will stay live but automatic cookie scanning will stop, meaning your cookie list can quietly fall out of date.
The free plan covers one site, which is enough for most small businesses, and having your own account means your compliance stays in your hands regardless of who builds or maintains your website. If you are not sure whose account your site is connected to, it is worth finding out. You can create your own free CookieYes account here.
UK GDPR gives individuals significant control over their personal data. As a website owner, you are legally required to support these rights and respond to requests within one month in most cases. The key rights include:
In practice, for a small business, this means having a clear privacy policy on your website, a way for people to contact you with data requests and a process for honouring those requests promptly. If you had your website built professionally, this should have been considered from the start, but it is worth double-checking.
The W3C Web Accessibility Initiative also has useful guidance on designing websites that respect user rights and privacy by default.
A privacy policy is a legal requirement under UK GDPR, not an optional extra. It should be clearly accessible from your website (usually linked in your footer) and explain:
Your cookie policy should be separate and cover specifically the cookies your site uses, their purpose and how long they last. CookieYes can generate this for you automatically based on your cookie scan results, and it updates as your cookies change.
If you’re not sure your website currently meets these requirements, our website support and security service includes compliance checks as part of ongoing site maintenance.
UK GDPR enforcement is handled by the ICO, and it takes complaints seriously. The penalties for non-compliance are set at two levels under the Data Protection Act 2018:
If your business also serves EU customers, EU GDPR carries equivalent fines set in euros rather than pounds. You can see examples of enforcement actions taken across the EU on the GDPR Enforcement Tracker. For ICO-specific cases, the ICO’s own enforcement register lists every penalty notice issued in the UK. For a small business, even a warning or minor investigation can be disruptive and damaging to your reputation. The good news is that for most small websites, getting compliant is simpler than you might think when you have the right tools in place.
If you’re not sure where you stand, work through this list:
If you’re ticking all of those boxes, you’re in good shape. If not, sorting out cookie consent is the best first step for most small websites and CookieYes is the simplest place to start.
At b:web, we build websites for small and family-run businesses that are designed to be compliant from day one. Whether you need a brand new site, a review of your existing one or ongoing support to keep everything in order, we’re here to help.
Get in touch with the b:web team for a chat about your website, no jargon and no pressure.
This article is intended as general guidance for small business owners and does not constitute legal advice. If you have specific concerns about your compliance obligations, we recommend speaking with a legal professional.
