Do I need a cookie banner?

If your website uses any non-essential cookies — including Google Analytics, Facebook Pixel, or similar tracking tools — you need a cookie banner that gives visitors a genuine choice to accept or reject them. The banner must block these cookies until consent is given. A banner that only has an 'Accept' button, or one that loads tracking scripts regardless of what the visitor clicks, does not count as valid consent.

What is a privacy policy?

A privacy policy is a legal document that explains what personal data your website collects, why you collect it, how long you keep it, and who you share it with. Under UK GDPR, every website that collects any personal data — even just through a contact form — is required to have one. It should be specific to your business, not a generic template, and must be linked from every page of your site.

Can I be fined for GDPR non-compliance?

Yes. Maximum fines under UK GDPR are up to £17.5 million or 4% of annual turnover. In practice, the ICO typically issues enforcement notices to small businesses first, requiring them to fix the problem. However, fines become more likely for serious or repeated violations, and any member of the public can report you to the ICO with a complaint — including competitors.

What data does my website collect?

Most business websites collect more data than their owners realise. Contact forms gather names, emails, and phone numbers. Google Analytics tracks visitor behaviour, device information, and location data. Cookie-based tools like Facebook Pixel and Hotjar record browsing patterns. If your site uses any third-party service, it is likely sending visitor data to servers outside the UK, which is an international data transfer that must be disclosed in your privacy policy.

Checklist

Is my website GDPR compliant? A checklist for UK small businesses.

Q: Is my website GDPR compliant?

To be GDPR compliant, your website needs a privacy policy that names your business and lists what data you collect, a cookie banner that genuinely blocks tracking until consent is given, and a lawful basis for processing any personal data. Most small business websites have gaps in at least one of these areas. You can check the basics yourself in about 10 minutes using a simple checklist.

By Nicholas Hartnell, StagHill Software — March 2026

GDPR applies to every UK business with a website. The fines are real — up to £17.5 million or 4% of annual turnover. Most small businesses have gaps they don't know about. Here's how to check yours in 10 minutes.

Privacy policy

Do you have a privacy policy?
Is it linked from every page (usually in the footer)?
Does it name your business and include a contact email?
Does it list what data you collect and why?
Does it state your lawful basis for processing (usually "legitimate interest" or "consent")?
Does it say how long you keep data?
Does it mention the right to complain to the ICO?

If you're using a template privacy policy you found online, check it actually matches what your website does. A privacy policy that says "we don't collect data" while your site runs Google Analytics and has a contact form is worse than no policy at all.

Cookie consent

Does a cookie banner appear on first visit?
Does it offer a genuine choice (not just "Accept")?
Can visitors reject non-essential cookies?
Are analytics and tracking cookies blocked until consent is given?
Can visitors change their preference later?

Common mistake: Many cookie banners are cosmetic. They show a popup but load Google Analytics, Facebook Pixel, and other tracking scripts regardless of what the visitor clicks. That's not consent. That's decoration.

Contact forms

Does the form explain what you'll do with the data?
Is there a link to your privacy policy near the form?
Are you only collecting what you actually need?
Where does the form data go? Who can access it?

Third-party services

Do you use Google Analytics, Facebook Pixel, Hotjar, or similar?
Are these disclosed in your privacy policy?
Do any of these transfer data outside the UK/EU?
If yes, have you checked they have appropriate safeguards (Standard Contractual Clauses)?

Google Analytics sends data to servers in the United States. That's an international data transfer. Your privacy policy needs to mention this and explain the legal basis for it.

Data retention

Do you know how long you keep contact form submissions?
Do you know how long your analytics data is stored?
Is this stated in your privacy policy?
Do you actually delete data when the retention period ends?

"We keep data indefinitely" is not a valid retention policy. You need a specific period with a reason. 12 months for enquiries is typical. Google Analytics defaults to 14 months.

The right to be forgotten

If someone emails you asking to delete their data, can you do it?
Do you know where all their data is stored?
Can you delete it from your email, CRM, analytics, backups?

What happens if you fail

The ICO (Information Commissioner's Office) handles GDPR enforcement in the UK. For small businesses, the typical outcome is an enforcement notice telling you to fix the problem. Fines are reserved for serious or repeated violations.

But here's the real risk: a customer complaint. Anyone can report you to the ICO. If a competitor notices your website has no cookie consent and no privacy policy, one complaint could trigger an investigation.

Not sure if you're compliant?

GDPR is one of the six areas we check in our free business audit. We'll review your website, privacy policy, cookie setup, and data handling. If there are gaps, we'll tell you exactly what to fix.

Request your free audit

← Back to StagHill Software