Does UK GDPR apply to small UK businesses?

Yes. UK GDPR applies to any business that processes personal data of UK residents, regardless of size. The ICO is the enforcement authority. While the ICO's largest fines have been against multinationals, it also takes enforcement action against UK SMEs, particularly for PECR breaches (unsolicited marketing), failures to respond to subject access requests, and inadequate privacy notices.

What must a UK business display on its website?

Under the Companies (Trading Disclosures) Regulations 2008 (made under section 82 of the Companies Act 2006), UK limited companies must display the registered name, registered company number, place of registration (e.g. 'Registered in England and Wales'), and registered office address on their website. Under the Electronic Commerce (EC Directive) Regulations 2002 (Reg 6) any provider of online services must also display a geographic address and direct contact email. VAT-registered businesses must display the VAT number.

Can the ICO fine my small UK business?

Yes. The ICO has issued fines and enforcement actions against UK SMEs, particularly for PECR breaches (unsolicited marketing emails or calls). PECR fines can reach £500,000; UK GDPR fines can reach £17.5 million or 4% of global turnover. For most SMEs the more realistic exposure is a public reprimand or undertaking following a complaint, not a headline fine.

Do I need to register with the ICO?

Most likely yes. Under the Data Protection (Charges and Information) Regulations 2018, organisations that process personal data must pay an annual data-protection fee unless an exemption applies. Tier 1 (most small businesses): £40 per year. Tier 2 (medium-size): £60. Tier 3 (large): £2,900. Failing to pay when required can itself attract a penalty notice from the ICO.

GDPR & Privacy

GDPR compliance for UK businesses: website checklist 2026

Steven | TrustYourWebsite · 3 May 2026 · Last updated: May 2026

The UK retained GDPR after Brexit as UK GDPR. The Information Commissioner's Office (ICO) enforces it alongside the Privacy and Electronic Communications Regulations 2003 (PECR) for cookies and electronic marketing. The Data (Use and Access) Act 2025 modernised some provisions but left the core obligations in place.

The honest position for SMEs: headline ICO fines target large companies (British Airways £20M, Marriott £18.4M, TikTok £12.7M). The ICO also investigates UK SMEs, typically through warnings, public reprimands and undertakings, plus PECR fines for unsolicited marketing, but the compliance requirements are identical at every scale.

This checklist covers what UK websites must do in 2026.

<div className="my-6 overflow-x-auto"> <table className="w-full border-collapse text-sm"> <thead> <tr className="bg-slate-100 text-left"> <th className="border border-slate-300 px-3 py-2 font-semibold">#</th> <th className="border border-slate-300 px-3 py-2 font-semibold">Obligation</th> <th className="border border-slate-300 px-3 py-2 font-semibold">Source of law</th> <th className="border border-slate-300 px-3 py-2 font-semibold">Who it applies to</th> </tr> </thead> <tbody> <tr> <td className="border border-slate-300 px-3 py-2">1</td> <td className="border border-slate-300 px-3 py-2 font-semibold">Cookie consent banner</td> <td className="border border-slate-300 px-3 py-2">PECR Reg 6</td> <td className="border border-slate-300 px-3 py-2">Any site with non-essential cookies</td> </tr> <tr className="bg-slate-50"> <td className="border border-slate-300 px-3 py-2">2</td> <td className="border border-slate-300 px-3 py-2 font-semibold">Privacy notice</td> <td className="border border-slate-300 px-3 py-2">UK GDPR Arts 13-14</td> <td className="border border-slate-300 px-3 py-2">Any site that collects personal data</td> </tr> <tr> <td className="border border-slate-300 px-3 py-2">3</td> <td className="border border-slate-300 px-3 py-2 font-semibold">Company registration footer</td> <td className="border border-slate-300 px-3 py-2">Companies Act 2006 s.82, E-Commerce Regs 2002</td> <td className="border border-slate-300 px-3 py-2">UK limited companies and online traders</td> </tr> <tr className="bg-slate-50"> <td className="border border-slate-300 px-3 py-2">4</td> <td className="border border-slate-300 px-3 py-2 font-semibold">DSAR response process</td> <td className="border border-slate-300 px-3 py-2">UK GDPR Arts 15-22</td> <td className="border border-slate-300 px-3 py-2">Any controller of personal data</td> </tr> <tr> <td className="border border-slate-300 px-3 py-2">5</td> <td className="border border-slate-300 px-3 py-2 font-semibold">Breach notification (72 hours)</td> <td className="border border-slate-300 px-3 py-2">UK GDPR Art 33</td> <td className="border border-slate-300 px-3 py-2">Any controller of personal data</td> </tr> <tr className="bg-slate-50"> <td className="border border-slate-300 px-3 py-2">6</td> <td className="border border-slate-300 px-3 py-2 font-semibold">ICO data-protection fee</td> <td className="border border-slate-300 px-3 py-2">DP (Charges and Info) Regs 2018</td> <td className="border border-slate-300 px-3 py-2">Almost all organisations</td> </tr> <tr> <td className="border border-slate-300 px-3 py-2">7</td> <td className="border border-slate-300 px-3 py-2 font-semibold">Analytics consent</td> <td className="border border-slate-300 px-3 py-2">PECR Reg 6 and UK GDPR Art 6</td> <td className="border border-slate-300 px-3 py-2">Any site running GA4 or similar</td> </tr> <tr className="bg-slate-50"> <td className="border border-slate-300 px-3 py-2">8</td> <td className="border border-slate-300 px-3 py-2 font-semibold">SSL and security baseline</td> <td className="border border-slate-300 px-3 py-2">UK GDPR Art 32</td> <td className="border border-slate-300 px-3 py-2">Any site that processes personal data</td> </tr> <tr> <td className="border border-slate-300 px-3 py-2">9</td> <td className="border border-slate-300 px-3 py-2 font-semibold">Electronic marketing rules</td> <td className="border border-slate-300 px-3 py-2">PECR Reg 22</td> <td className="border border-slate-300 px-3 py-2">Any business sending email or SMS marketing</td> </tr> </tbody> </table> </div>

Required: Yes, for any non-essential cookies.

Under PECR Regulation 6, you must obtain prior consent before setting cookies that are not strictly necessary for the service requested.

Your cookie banner must:

Offer an equally prominent "Reject All" option alongside "Accept All"
Not set tracking scripts before the visitor makes a choice
Not use pre-ticked boxes for optional cookies
Remember the visitor's choice for future visits

What the ICO flags as dark patterns: An "Accept All" button in large green text alongside a small grey "Manage Preferences" link. The ICO's November 2023 top-100 letter campaign cited asymmetric button styling as a primary failure.

Action: Click "Reject All" on your own website, then open browser DevTools → Network and filter for "google-analytics". If requests appear, your banner is not working correctly.

2. Privacy notice

Required: Yes, under UK GDPR Articles 13 and 14 and the Data Protection Act 2018.

Your privacy notice must cover:

What personal data you collect (names, emails, IP addresses)
Your lawful basis for processing each category
How long you retain data
Which third parties have access (Google Analytics, payment processors, email tools)
How visitors can exercise their rights (access, rectification, erasure, restriction, portability, objection)
How to lodge a complaint with the ICO

A complaint about missing or inadequate privacy notices is one of the most common categories the ICO handles from members of the public.

ICO contact for complaints: ico.org.uk/concerns

Action: Check your privacy notice exists, is linked from every page footer and accurately describes your specific data processing, not a generic template.

3. Company registration details (Companies Act 2006)

Required: Yes, for UK limited companies, under the Companies (Trading Disclosures) Regulations 2008 (Reg 7) and the E-Commerce Regulations 2002.

Every UK limited company must display on its website:

Full registered company name
Company registration number (Companies House number)
Place of registration (e.g. "Registered in England and Wales", "Registered in Scotland")
Registered office address

Under the E-Commerce Regulations 2002 (Reg 6), any provider of online services must also display:

A geographic address where the business is established (not a PO Box)
A direct contact email address
VAT number if VAT-registered
Any professional regulatory body if applicable (e.g. SRA, FCA, GMC)

Sole traders are not required to display Companies House details. They should display their own name, business address and contact details.

Where to put it: Footer of every page, plus your contact page.

Action: Check your website footer. Does it show your Companies House number, place of registration and registered office address?

4. Data subject rights

Required: Yes, under UK GDPR Articles 15-22.

Any person whose data you hold can submit a Data Subject Access Request (DSAR). You must respond within one month. The ICO has issued public reprimands against UK organisations for missed SAR deadlines and fines for repeat or systemic failures.

The Data (Use and Access) Act 2025 introduced a "stop the clock" mechanism: if you need clarification about a request, you can pause the one-month deadline while you wait for the response. This is a small but useful change in the UK regime.

Your privacy notice must explain how to submit a request. For small businesses, a dedicated email address (e.g. privacy@yourcompany.co.uk) is sufficient.

Action: Test your DSAR process. If someone emailed asking for all data you hold about them, could you respond within 30 days?

5. Data breach notification

Required: Yes, under UK GDPR Article 33.

If you suffer a personal-data breach (a cyberattack, lost laptop, accidental email to the wrong person) that risks the rights and freedoms of individuals, you must notify the ICO within 72 hours of becoming aware. High-risk breaches must also be communicated directly to the affected individuals.

The ICO publishes breach statistics annually. In 2024 it received roughly 8,000-9,000 personal-data-breach notifications.

Action: Do you have a documented procedure for identifying and reporting a breach within 72 hours?

6. ICO data-protection fee

Required: Yes, for almost all organisations processing personal data, under the Data Protection (Charges and Information) Regulations 2018.

The fee is structured in three tiers based on size and turnover. A handful of exemptions apply (purely personal use, certain not-for-profits) but the default for any business processing customer data electronically is that the fee is payable.

The ICO can issue penalty notices up to £4,000 for non-payment.

Action: Check whether you're registered at the ICO data protection fee page. The public register lets anyone, including the ICO, verify status.

7. Google Analytics and third-party tools

Risk: Medium in the UK, lower than in France/Italy, higher than zero.

The UK is covered by the EU's adequacy decision and the UK-US Data Bridge (in force since 12 October 2023). That means transfers of UK personal data to certified US recipients are not the headline issue they are in France or Austria. But PECR Regulation 6 and UK GDPR Article 6 still require lawful basis and prior consent before Google Analytics may run.

The safer options:

Implement Google Consent Mode v2 with proper denial defaults
Switch to a UK or EU-hosted analytics tool (Plausible, Fathom, Matomo self-hosted)
Disable analytics entirely until proper consent infrastructure is in place

Action: Check whether your analytics tool is loading before the visitor accepts cookies.

8. SSL and security basics

Required: Best practice, UK GDPR Article 32 requires "appropriate technical and organisational measures."

If your website transmits personal data (any form with name/email) without HTTPS, that is a potential UK GDPR violation. Ensure:

Valid SSL certificate on all pages
No mixed-content (HTTP resources on HTTPS pages)
Security headers configured (Content-Security-Policy, HSTS)

9. Electronic marketing (PECR Regulation 22)

Required: Yes, if you do email or SMS marketing.

PECR Regulation 22 governs unsolicited electronic marketing. The rule depends on who the recipient is.

Most ICO PECR fines target companies that bought or scraped lists and then ran cold campaigns into B2C addresses. This is the single largest source of ICO monetary penalties for SMEs.

Free website check in 60 seconds

Our scanner tests your cookie banner (including whether rejecting actually stops trackers), checks for your Companies House details, analyses your privacy notice and runs 150+ additional checks specific to UK legal requirements.

Check your website for free →

No account required. Results in under 60 seconds.

This is technical analysis, not legal advice. Consult a qualified solicitor or data protection advisor for specific legal guidance.

Share this article

Check your website now

Scan your website for GDPR & Privacy issues and 30+ other checks.

Start free check

UK Website Guides

What the ICO Actually Checks on Your Website in 2026

Concrete list of what the ICO checks when a complaint about your UK website lands on its desk. Cookie banner, privacy notice, SAR, breach notification.

UK GDPR vs EU GDPR after Brexit for UK businesses

UK GDPR vs EU GDPR for British SMEs in 2026. The Data (Use and Access) Act 2025, PECR cookies, ICO enforcement and when you still need an EU representative.

UK website privacy notice requirements after DUAA (2026)

The 14 mandatory elements of a UK GDPR privacy notice. DUAA 2025 changes, new complaint mechanism, recognised legitimate interests and ICO checklist for SMEs.

UK GDPR fines under the ICO: what penalties look like

ICO fine bands under UK GDPR: up to £17.5M or 4% of global turnover. Marriott, BA and TikTok cases explained. What SMBs realistically face.

ICO investigation process: what UK firms can expect

ICO investigation: information notices, 30-day deadlines, formal investigations, fine decisions and appeal routes.