Skip to content
web1o
Blog

GDPR for small websites: what you actually have to do

GDPR for a small business website, minus the fear: lawful basis, privacy policy, consent before tracking, lean forms and processor agreements — the essentials that actually apply to you.

  • GDPR
  • privacy
  • compliance
  • small business
  • cookies
  • web development

GDPR has a reputation for being terrifying, expensive and mostly aimed at big tech. For a small business website, the reality is narrower and far more manageable: a handful of principles, a clear reason for collecting each piece of data, an honest privacy policy, and consent before you drop non-essential tracking. This is what you actually have to do — and what you can safely stop worrying about.

If you are building the site as part of a wider launch, this fits into the bigger picture we cover in how to start an online business in Europe.

First, the myth: there is no "small business" exemption

Plenty of founders assume GDPR only bites once you hit a certain size. It does not. The European Commission is explicit: whether the rules apply "depends not on the size of your company/organisation but on the nature of your activities." A one-person shop collecting email addresses is covered just as much as a multinational. [Source: European Commission — Do the rules apply to SMEs?]

This is a genuine difference from some newer EU rules. The European Accessibility Act, for example, carves out microenterprises (broadly, fewer than 10 staff and under €2m turnover) from parts of its scope. GDPR has no equivalent size cut-off.

What does scale with size is a couple of specific obligations. If you have fewer than 250 employees, you generally do not need to keep a formal record of processing activities (Article 30(5)) — unless the processing is regular, poses a risk to people's rights, or involves sensitive data. Most SMEs also do not need a Data Protection Officer. But the core duties — transparency, a lawful basis, security, respecting people's rights — apply to everyone.

The core principles, in plain English

GDPR Article 5 sets out seven principles. You do not need to memorise the article numbers; you need to run your website against the plain-English versions:

  • Lawfulness, fairness and transparency — have a legitimate reason to collect the data, don't be sneaky about it, and tell people what you're doing.
  • Purpose limitation — collect data for a specific purpose, not "just in case".
  • Data minimisation — only ask for what you actually need.
  • Accuracy — keep it correct and let people fix it.
  • Storage limitation — don't keep it forever.
  • Integrity and confidentiality — keep it secure.
  • Accountability — be able to show you're doing the above.

Almost everything below is just these principles applied to the parts of a website you already have.

Have a lawful basis for every bit of data

Before you collect any personal data, you need one of six lawful bases from Article 6. For a typical small site, three of them cover nearly everything:

  • Consent — the person actively agreed (e.g. ticking a box to join your newsletter).
  • Contract — you need the data to deliver something they asked for (e.g. a delivery address for an order).
  • Legitimate interests — a reasonable business need that doesn't override the person's rights (e.g. basic fraud prevention).

The practical takeaway: for each form and each tracking script, be able to answer "why am I allowed to collect this?" in one sentence. If you can't, you probably shouldn't be collecting it.

Consent before tracking — this is the cookie part

This is where most small sites slip up, and it's a separate rule layered on top of GDPR: the ePrivacy Directive. It requires prior consent before you set any non-essential cookie or tracker — that means analytics, advertising pixels, and embedded third-party widgets must wait until the visitor says yes.

Strictly necessary cookies — the ones that keep a login session alive, remember a shopping cart, or do load balancing — do not need consent, though you should still explain them. Everything else does. And the consent has to be real: freely given, specific, informed and unambiguous, with a genuine "reject" option that's as easy as "accept", and a way to withdraw later. A pre-ticked box or a cookie wall that fires Google Analytics before you click anything does not count. [Source: GDPR.eu / ePrivacy Directive]

We go deeper on getting the banner right in EU cookie consent rules. If you're not sure whether your current setup passes, our GDPR / cookie checker scans your site for trackers that fire before consent.

Write a real privacy policy

Transparency means telling people, in language they can understand, what you do with their data. A workable small-business privacy policy covers:

  • Who you are and how to contact you.
  • What data you collect (contact form details, order data, analytics, etc.).
  • Why you collect it and your lawful basis.
  • Who you share it with (your email tool, payment processor, hosting).
  • How long you keep it.
  • People's rights — access, correction, deletion, objection, and how to complain to a supervisory authority.

You don't need a lawyer to draft a proportionate policy for a simple brochure or shop site, but it must be accurate. A copy-pasted template that lists tools you don't use, or omits ones you do, is worse than useless.

Minimise your forms

Data minimisation is the cheapest compliance win there is. Every field you remove is one less thing to justify, secure and eventually delete. A contact form needs a name, an email and a message — it does not need a phone number, company size and job title "for our records". A newsletter sign-up needs an email address. Ask for less, and most of your data-protection risk simply evaporates.

Sort out your processor agreements

Here's the one that surprises founders: the moment you use a third-party tool that handles your visitors' data — an email marketing platform, a form service, analytics, a CRM, your host — that provider is a data processor acting on your behalf. GDPR requires a written contract governing that relationship (a Data Processing Agreement, Article 28).

The good news: reputable providers publish a standard DPA that you accept when you sign up, so this is often a case of confirming it exists rather than negotiating anything. Keep a short list of every tool that touches personal data and check each one has a DPA in place. If a provider can't point you to one, that's a red flag.

A quick self-check

You're in reasonable shape if you can say yes to:

  • I can name a lawful basis for every form and tracker on my site.
  • Non-essential cookies only fire after the visitor consents, and rejecting is as easy as accepting.
  • I have an accurate, findable privacy policy.
  • My forms ask only for what I need.
  • Every third-party tool handling data has a DPA.

For the wider picture — accessibility, cookies and terms all in one pass — see is your website legal in the EU.

This is general information, not legal or tax advice — rules vary by country and change; confirm with a qualified professional before acting.

Where we come in

Most GDPR pain on small sites comes from how the site was built — trackers loaded before consent, forms hoovering up data no one uses, no privacy policy wired in. When we build sites, consent-first tracking and sensible data handling are baked in from the start. Take a look at our web development service, or book a free consultation and we'll tell you honestly where your current site stands.