Skip to content

Nettsider · · 4 min read

GDPR for a small business website — explained simply

What do data protection rules actually require of an ordinary business website? A practical, readable walk-through of GDPR for small businesses, no legal fog.

By Mediseo

GDPR sounds like something only large companies with a legal department need to worry about. But the rules apply to a perfectly ordinary business website too. The good news is that most of it comes down to common sense. Here's the practical picture, without the legal fog.

What GDPR is really about

GDPR is the data protection regulation — shared European rules for how organisations should handle personal data. Personal data is any information that can be linked to a particular person: name, email address, phone number, and sometimes something as simple as an IP address.

The heart of the rules is easy to remember: only collect what you actually need, be open about what you do with it, and look after it safely. Everything technical and legal around this flows from those three principles.

Where does an ordinary website collect data?

Most small sites collect more than their owners realise — usually through entirely ordinary features:

  • Contact forms collect names, emails and whatever people type.
  • Newsletter sign-ups store email addresses.
  • Analytics tools record how visitors move around the site.
  • Cookies remember visitors between visits.

None of this is forbidden. The point is that you should know it's happening and be able to explain it. The first step towards being in line with the rules is simply having an overview of what your site actually collects.

What you should have in place

For a typical small business website, it boils down to a few concrete things.

A privacy notice. A simple page that explains what data you collect, why, how long you keep it, and how people can ask to see or delete it. It doesn't need to be long — it needs to be honest and understandable.

Cookie consent. If you use cookies for anything beyond the strictly necessary — analytics or marketing, for instance — visitors should be able to opt in or out before they're set. A cookie banner that genuinely lets people say no, not just an "OK" button.

Clear consent in forms. If someone signs up to your newsletter, it should be because they actively chose to — not a pre-ticked box they forgot to clear. Ask for what you need, explain what it's used for, and no more.

Common misconceptions

"We're too small for GDPR to apply to us." No. The rules apply regardless of size. What varies is the scope of what you have to do, not whether the rules apply.

"We have to ask for consent for absolutely everything." No. If you need an email address to reply to an enquiry, that's fine without separate consent — it's a natural part of what people asked for. Consent is required especially for things like marketing and non-essential cookies.

"A privacy notice is enough." It's important, but the rules are just as much about practice. It helps little to promise safe handling on paper if the emails with customer data sit openly available to every member of staff.

A simple approach that actually works

You don't need to get this perfect from day one. A sensible order:

  1. Write down what the site collects, and where it ends up.
  2. Remove what you don't need. Less data is less to worry about.
  3. Write an honest privacy notice that describes what actually happens.
  4. Make sure cookie consent and forms ask for what you need, in a tidy way.
  5. Check that the data is stored safely, and that only those who need it have access.

What we tend to tell businesses is that GDPR isn't an obstacle, but a form of good order. Those who keep their data tidy come across as more trustworthy — and avoid an uncomfortable surprise the day a customer asks what you've actually stored about them.

Frequently asked questions

Do I need a privacy notice even if I only have a contact form?

Yes. The moment someone sends you their name and email via the form, you're processing personal data. A simple privacy notice explaining what happens to it is the right thing to do — and what people expect.

Is it allowed to use Google Analytics?

Yes, but you should ask for consent before setting analytics cookies, and be open about the use in your privacy notice. Many people also choose more privacy-friendly analytics tools to make this simpler.

What happens if a customer asks to be deleted?

They have the right to have their personal data deleted, with some exceptions — for example data you're legally required to keep, such as accounting records. In practice it means locating and removing what you've stored about that person, and confirming it's done.

What we can do for you and your business.

Tell us briefly what you need help with — a new website, more visibility on Google, or just a once-over. We get back within a working day, usually with something concrete.

Book a free 20-min callBuild a site with us