Does UK GDPR apply to small UK businesses?

Yes. UK GDPR applies to any business that processes personal data of UK residents, regardless of size. The ICO is the enforcement authority. While the ICO's largest fines have been against multinationals, it also takes enforcement action against UK SMEs — particularly for PECR breaches (unsolicited marketing), failures to respond to subject access requests, and inadequate privacy notices.

What must a UK business display on its website?

Under the Companies (Trading Disclosures) Regulations 2008 (made under section 82 of the Companies Act 2006), UK limited companies must display the registered name, registered company number, place of registration (e.g. 'Registered in England and Wales'), and registered office address on their website. Under the Electronic Commerce (EC Directive) Regulations 2002 (Reg 6) any provider of online services must also display a geographic address and direct contact email. VAT-registered businesses must display the VAT number.

Can the ICO fine my small UK business?

Yes. The ICO has issued fines and enforcement actions against UK SMEs, particularly for PECR breaches (unsolicited marketing emails or calls). PECR fines can reach £500,000; UK GDPR fines can reach £17.5 million or 4% of global turnover. For most SMEs the more realistic exposure is a public reprimand or undertaking following a complaint, not a headline fine.

Do I need to register with the ICO?

Most likely yes. Under the Data Protection (Charges and Information) Regulations 2018, organisations that process personal data must pay an annual data-protection fee unless an exemption applies. Tier 1 (most small businesses): £40 per year. Tier 2 (medium-size): £60. Tier 3 (large): £2,900. Failing to pay when required can itself attract a penalty notice from the ICO.

GDPR & Privacy

GDPR compliance for UK businesses: website checklist 2026

Steven | TrustYourWebsite · 3 May 2026

The UK retained GDPR after Brexit as UK GDPR. The Information Commissioner's Office (ICO) enforces it alongside the Privacy and Electronic Communications Regulations 2003 (PECR) for cookies and electronic marketing. The Data (Use and Access) Act 2025 modernised some provisions but left the core obligations in place.

The honest position for SMEs: headline ICO fines target large companies (British Airways £20M, Marriott £18.4M, TikTok £12.7M). The ICO also investigates UK SMEs — typically through warnings, public reprimands, and undertakings, plus PECR fines for unsolicited marketing — but the compliance requirements are identical at every scale.

This checklist covers what UK websites must do in 2026.

Required: Yes, for any non-essential cookies.

Under PECR Regulation 6, you must obtain prior consent before setting cookies that are not strictly necessary for the service requested.

Your cookie banner must:

Offer an equally prominent "Reject All" option alongside "Accept All"
Not set tracking scripts before the visitor makes a choice
Not use pre-ticked boxes for optional cookies
Remember the visitor's choice for future visits

What the ICO flags as dark patterns: An "Accept All" button in large green text alongside a small grey "Manage Preferences" link. The ICO's November 2023 top-100 letter campaign cited asymmetric button styling as a primary failure.

Action: Click "Reject All" on your own website, then open browser DevTools → Network, and filter for "google-analytics". If requests appear, your banner is not working correctly.

2. Privacy notice

Required: Yes, under UK GDPR Articles 13 and 14, and the Data Protection Act 2018.

Your privacy notice must cover:

What personal data you collect (names, emails, IP addresses)
Your lawful basis for processing each category
How long you retain data
Which third parties have access (Google Analytics, payment processors, email tools)
How visitors can exercise their rights (access, rectification, erasure, restriction, portability, objection)
How to lodge a complaint with the ICO

A complaint about missing or inadequate privacy notices is one of the most common categories the ICO handles from members of the public.

ICO contact for complaints: ico.org.uk/concerns

Action: Check your privacy notice exists, is linked from every page footer, and accurately describes your specific data processing — not a generic template.

3. Company registration details (Companies Act 2006)

Required: Yes, for UK limited companies, under the Companies (Trading Disclosures) Regulations 2008 (Reg 7) and the E-Commerce Regulations 2002.

Every UK limited company must display on its website:

Full registered company name
Company registration number (Companies House number)
Place of registration (e.g. "Registered in England and Wales", "Registered in Scotland")
Registered office address

Under the E-Commerce Regulations 2002 (Reg 6), any provider of online services must also display:

A geographic address where the business is established (not a PO Box)
A direct contact email address
VAT number if VAT-registered
Any professional regulatory body if applicable (e.g. SRA, FCA, GMC)

Sole traders are not required to display Companies House details; they should display their own name, business address, and contact details.

Where to put it: Footer of every page, plus your contact page.

Action: Check your website footer. Does it show your Companies House number, place of registration, and registered office address?

4. Data subject rights

Required: Yes, under UK GDPR Articles 15-22.

Any person whose data you hold can submit a Data Subject Access Request (DSAR). You must respond within one month. The ICO has issued public reprimands against UK organisations for missed SAR deadlines, and fines for repeat or systemic failures.

The Data (Use and Access) Act 2025 introduced a "stop the clock" mechanism: if you need clarification about a request, you can pause the one-month deadline while you wait for the response. This is a small but useful change in the UK regime.

Your privacy notice must explain how to submit a request. For small businesses, a dedicated email address (e.g. privacy@yourcompany.co.uk) is sufficient.

Action: Test your DSAR process. If someone emailed asking for all data you hold about them, could you respond within 30 days?

5. Data breach notification

Required: Yes, under UK GDPR Article 33.

If you suffer a personal-data breach (a cyberattack, lost laptop, accidental email to the wrong person) that risks the rights and freedoms of individuals, you must notify the ICO within 72 hours of becoming aware. High-risk breaches must also be communicated directly to the affected individuals.

The ICO publishes breach statistics annually. In 2024 it received roughly 8,000-9,000 personal-data-breach notifications.

Action: Do you have a documented procedure for identifying and reporting a breach within 72 hours?

6. ICO data-protection fee

Required: Yes, for almost all organisations processing personal data, under the Data Protection (Charges and Information) Regulations 2018.

The fee is structured in three tiers based on size and turnover:

Tier 1 (most small businesses): £40 per year
Tier 2 (medium): £60 per year
Tier 3 (large): £2,900 per year

A handful of exemptions apply (purely personal use, certain not-for-profits) but the default for any business processing customer data electronically is that the fee is payable.

The ICO can issue penalty notices up to £4,000 for non-payment.

Action: Check whether you're registered at ico.org.uk/registration. The public register lets anyone — including the ICO — verify status.

7. Google Analytics and third-party tools

Risk: Medium in the UK, lower than in France/Italy, higher than zero.

The UK is covered by the EU's adequacy decision and the UK-US Data Bridge (in force since 12 October 2023). That means transfers of UK personal data to certified US recipients are not the headline issue they are in France or Austria. But PECR Regulation 6 and UK GDPR Article 6 still require lawful basis and prior consent before Google Analytics may run.

The safer options:

Implement Google Consent Mode v2 with proper denial defaults
Switch to a UK or EU-hosted analytics tool (Plausible, Fathom, Matomo self-hosted)
Disable analytics entirely until proper consent infrastructure is in place

Action: Check whether your analytics tool is loading before the visitor accepts cookies.

8. SSL and security basics

Required: Best practice; UK GDPR Article 32 requires "appropriate technical and organisational measures."

If your website transmits personal data (any form with name/email) without HTTPS, that is a potential UK GDPR violation. Ensure:

Valid SSL certificate on all pages
No mixed-content (HTTP resources on HTTPS pages)
Security headers configured (Content-Security-Policy, HSTS)

9. Electronic marketing (PECR Regulation 22)

Required: Yes, if you do email or SMS marketing.

PECR Regulation 22 governs unsolicited electronic marketing. The structure:

B2C email: consent required. Soft opt-in available for existing customers buying similar products.
B2B email to limited companies and LLPs: no consent required. Clear sender ID and working unsubscribe required.
B2B email to sole traders and partnerships: treated as B2C (consent required).
SMS to any audience: consent required.

Most ICO PECR fines target companies that bought or scraped lists and then ran cold campaigns into B2C addresses. This is the single largest source of ICO monetary penalties for SMEs.

Free website check in 60 seconds

Our scanner tests your cookie banner (including whether rejecting actually stops trackers), checks for your Companies House details, analyses your privacy notice, and runs 150+ additional checks specific to UK legal requirements.

Check your website for free →

No account required. Results in under 60 seconds.

This is technical analysis, not legal advice. Consult a qualified solicitor or data protection advisor for specific legal guidance.

Check your website now

Scan your website for GDPR & Privacy issues and 30+ other checks.

Scan your site free

Website Guides

Can You Run Analytics Without Consent in the UK? The ICO's Position

The ICO's position on running analytics without consent in the UK. Why Google Analytics requires prior consent, what server-side and privacy-preserving alternatives qualify as exempt, and how to decide.

Complete GDPR Website Audit: Step-by-Step Checklist

A step-by-step GDPR audit checklist for your website. Check cookies, tracking, privacy policy, forms, third-party services, and security in one pass.

Cookie banner dark patterns in the UK: ICO enforcement in 2026

The 12 cookie banner dark patterns per EDPB taxonomy. ICO top-100 letter campaign, PECR enforcement and what the scanner detects after clicking reject all.

1. Cookie consent banner