Skip to main content
Back to Knowledge Lab
Legal & Compliance

GDPR Compliance for Your Cardiff Website: What Every Welsh Business Needs to Know in 2026

A practical GDPR guide for Cardiff SMEs. Learn what your website must do to comply with UK GDPR — cookie consent, privacy policies, ICO registration, data subject rights, and what happens if you get it wrong.

Caversham Digital·16 March 2026·13 min read

GDPR Compliance for Your Cardiff Website: What Every Welsh Business Needs to Know in 2026

If you're running a business in Cardiff and you have a website — which in 2026 means every serious business — you have GDPR obligations. The General Data Protection Regulation (and its UK version, UK GDPR, post-Brexit) isn't just for big corporations. It applies to the Cardiff florist collecting email addresses, the Newport accountancy firm using Google Analytics, and the Valleys manufacturer with a "Contact Us" form.

Most Cardiff SME websites we see have at least one GDPR problem. Some have several. The good news: getting compliant is not as complicated or expensive as many businesses fear. This guide walks you through exactly what your website needs to do.

Important disclaimer: This guide is written by a web agency, not solicitors. It's practical guidance based on widely accepted interpretations of UK GDPR. For specific legal advice tailored to your business, consult a qualified data protection solicitor or GDPR specialist.

What Is UK GDPR and Who Does It Apply To?

GDPR (General Data Protection Regulation) was introduced by the EU in 2018. After Brexit, the UK adopted its own version — UK GDPR — which is largely the same regulation, now administered by the Information Commissioner's Office (ICO) rather than EU supervisory authorities.

UK GDPR applies to any organisation that:

  • Collects, stores, or processes personal data about individuals in the UK
  • Is established in the UK, or processes data about UK residents (even if the business is overseas)

Personal data is broader than many Cardiff business owners realise. It includes:

  • Names and email addresses
  • Phone numbers
  • IP addresses (yes, even these)
  • Cookie identifiers
  • Location data
  • Browsing behaviour tracked on your site
  • Any information that can identify a living individual

If your website has a contact form, Google Analytics, a newsletter signup, an e-commerce checkout, or embedded third-party content (YouTube, social media), you are almost certainly processing personal data.

The Six Lawful Bases for Processing Data

Before you can legally process someone's data, you need a lawful basis. UK GDPR defines six:

  1. Consent — the individual has freely given clear, specific consent
  2. Contract — processing is necessary to fulfil a contract (e.g. delivering an order)
  3. Legal obligation — you're required to process it by law
  4. Vital interests — to protect someone's life (rare in website contexts)
  5. Public task — processing is part of a public authority function
  6. Legitimate interests — your processing is necessary for your legitimate business interests, balanced against the individual's rights

For most Cardiff SME websites, the relevant bases are:

  • Consent — for marketing emails, non-essential cookies, analytics tracking
  • Contract — for processing customer data to fulfil an order or service
  • Legitimate interests — for some analytics and fraud prevention

Understanding which basis you're relying on matters, because it affects how you handle things like data requests and withdrawal of consent.

Cookie Consent: Getting It Right

Cookie compliance is probably the most visible GDPR issue on Cardiff websites, and also one of the most commonly done wrong.

What Counts as a Cookie?

A "cookie" in GDPR terms includes:

  • Traditional HTTP cookies
  • Local storage and session storage
  • Tracking pixels
  • Fingerprinting scripts
  • Any similar technology that stores or accesses information on a user's device

Which Cookies Need Consent?

Strictly necessary cookies — no consent needed. These include session cookies that keep users logged in, shopping basket cookies, and security cookies. You must still disclose them in your privacy/cookie policy.

Analytics cookies (e.g. Google Analytics)consent required. Google Analytics collects IP addresses and uses cookies to track behaviour across sessions. Under UK GDPR, this requires prior, informed consent. Many Cardiff websites still run GA without a compliant consent banner.

Marketing/advertising cookiesconsent required. Retargeting pixels from Facebook, Google Ads, LinkedIn, or any other ad platform require explicit consent before firing.

Functional cookies (e.g. remembering language preferences) — technically "grey area," but best practice is to seek consent.

What Does a Compliant Consent Banner Look Like?

A compliant UK GDPR cookie consent mechanism must:

✅ Appear before any non-essential cookies are set
✅ Give users a genuine choice — "Accept All" and "Reject All" must be equally prominent
✅ Allow users to manage granular preferences
✅ Record consent (timestamp, what was consented to)
✅ Allow users to withdraw consent as easily as they gave it
✅ Not use dark patterns (e.g. pre-ticked boxes, buried reject buttons)

What doesn't work:

  • ❌ A banner that says "By using this site, you accept cookies" — this is not valid consent
  • ❌ Accept buttons that are large and green, reject buttons that are tiny and grey
  • ❌ Cookies firing before the user has interacted with the banner
  • ❌ "Cookie Policy" pages with no actual consent mechanism

For Cardiff SMEs, tools like Cookiebot, CookieYes, or OneTrust's free tier can handle compliant consent management without needing custom development. If you're working with Caversham Digital on a new site, we implement compliant consent management as standard.

Your Privacy Policy: What It Must Include

Every website that processes personal data needs a Privacy Policy (sometimes called a Privacy Notice). This must be:

  • Written in plain English — not impenetrable legal jargon
  • Freely accessible — typically linked in the footer of every page
  • Specific and accurate — not a generic template that doesn't reflect your actual practices

UK GDPR Privacy Policy Checklist

Your privacy policy must include:

1. Who you are

  • Business name, address, contact details
  • If you have a Data Protection Officer (DPO), their contact details (required for certain larger organisations)

2. What data you collect

  • Name, email, phone — contact form submissions
  • Payment data — if you process payments (note: if you use Stripe/PayPal, they handle payment data; you receive a reference, not card details)
  • IP addresses and analytics data
  • Any other data you collect

3. Why you collect it (the purpose)

  • To respond to enquiries
  • To fulfil orders
  • To send marketing emails (if applicable)
  • To improve our website via analytics

4. The lawful basis for each purpose

  • Contact form: legitimate interests or contract
  • Newsletter: consent
  • Analytics: consent

5. How long you keep data

  • Don't just say "as long as necessary" — be specific
  • E.g. "Contact form submissions are retained for 2 years. Email subscribers are retained until they unsubscribe."

6. Who you share data with

  • Email marketing provider (e.g. Mailchimp, Klaviyo)
  • Analytics provider (Google Analytics, Hotjar)
  • Hosting provider
  • Payment processor
  • Any third-party tools embedded in your site

7. Data subject rights

  • Right to access (Subject Access Request)
  • Right to rectification
  • Right to erasure ("right to be forgotten")
  • Right to restriction of processing
  • Right to data portability
  • Right to object
  • Rights related to automated decision-making

8. How to complain

  • Include the ICO's contact details: ico.org.uk | 0303 123 1113

9. International transfers (if applicable)

  • If you use US-based tools (Google, Mailchimp, etc.), you need to mention the transfer mechanisms — UK-US Data Bridge typically applies to compliant US companies.

For Cardiff businesses, we recommend reviewing your privacy policy annually and updating it whenever you add new tools or change how you process data.

ICO Registration: Do You Need to Pay the Data Protection Fee?

Most businesses that process personal data must register with the Information Commissioner's Office (ICO) and pay the Data Protection Fee.

Who Must Register?

You must register unless you qualify for an exemption. Exemptions include:

  • Processing only for personal, family, or household purposes
  • Some not-for-profit organisations
  • Some small occupational pension schemes

Most Cardiff SMEs with a website do not qualify for an exemption and must register.

How Much Does It Cost?

TierAnnual FeeWho Qualifies
Tier 1£52Small organisations: turnover ≤£632,000 OR ≤10 members of staff
Tier 2£155Medium organisations
Tier 3£3,763Large organisations

Most Cardiff SMEs will be on Tier 1 at £52/year — that's genuinely affordable compliance.

How to Register

  1. Visit ico.org.uk/registration
  2. Answer questions about your organisation
  3. Pay the fee online
  4. Receive your registration number

Once registered, you can display your ICO registration number — a minor trust signal. More importantly, you're legally compliant for the administrative requirement.

Penalty for non-registration: Up to £4,000 fixed penalty. The ICO actively pursues businesses that should be registered but aren't.

Data Subject Rights: What Cardiff Businesses Must Handle

Under UK GDPR, individuals have rights over their personal data. Your business must be able to respond to these requests. Here's what they mean in practice for a Cardiff SME website:

Right to Access (Subject Access Request / SAR) Any individual can ask what data you hold about them. You have one calendar month to respond (extendable in complex cases). You must provide the data free of charge.

Practically: this means knowing where you store customer data. Your CRM, email marketing list, contact form submissions, order history. If a Cardiff customer emails asking "what data do you hold on me?", you need a process to find and compile it.

Right to Erasure ("Right to Be Forgotten") Individuals can ask you to delete their personal data in certain circumstances. You must comply unless you have a legitimate reason to retain it (e.g. an ongoing legal obligation, accounting requirements).

Right to Rectification If someone says their data is wrong, you must correct it.

Right to Object Individuals can object to processing based on legitimate interests or for direct marketing. If someone objects to marketing emails, you must stop immediately.

Right to Portability For data processed by consent or contract, individuals can request their data in a machine-readable format (CSV is fine).

Building a Simple Process

You don't need expensive software. A basic process:

  1. Designate who handles data requests (could be you, if you're a sole trader)
  2. Have an email address for data requests (e.g. privacy@yourbusiness.com or your main contact email)
  3. Keep a log of requests and responses
  4. Know where your data lives (CRM, email platform, your server logs)

Common GDPR Mistakes on Cardiff Websites

Here are the issues we see most often when auditing Cardiff business websites:

1. Google Analytics running without consent Extremely common. GA fires on page load before users interact with any banner. This is non-compliant. Fix: implement a proper CMP (Consent Management Platform) that blocks GA until consent is given.

2. Pre-checked marketing opt-in boxes on contact forms "Yes, I'd like to receive marketing emails" should never be pre-checked. Users must actively opt in.

3. Outdated or generic privacy policies Copy-pasted policies that mention data processing activities the business doesn't do, or miss ones they do. Review yours against your actual tools.

4. No cookie policy separate from privacy policy While they can be combined, it's cleaner to have a dedicated cookie policy linked from your consent banner.

5. Contact form data sitting in a shared Gmail inbox Contact form submissions are personal data. If they're stored indefinitely in an email inbox accessible to multiple people, that's a data retention and access control issue.

6. Third-party embeds (YouTube, Google Maps) loading without consent YouTube embeds load Google's tracking cookies. Google Maps can too. Either use "privacy enhanced" embed modes or gate them behind consent.

7. No ICO registration Particularly common with sole traders and micro-businesses in Cardiff who assume they're too small to need it. At £52/year, there's no good reason not to register.

What Happens If You Get It Wrong?

The ICO has enforcement powers ranging from informal warnings to substantial fines.

Under UK GDPR, maximum fines are:

  • £17.5 million or 4% of global annual turnover (whichever is higher) for serious infringements
  • £8.7 million or 2% of global annual turnover for less serious infringements

In practice, the ICO focuses large fines on organisations that caused significant harm or showed reckless disregard for the rules. For most Cardiff SMEs, the realistic risk is:

  • An informal warning or reprimand
  • A requirement to fix specific issues
  • Reputational damage if a complaint is publicised

That said, the ICO does investigate complaints from individuals, and a disgruntled customer complaining to the ICO about how you handled their data request is a genuine risk.

The reputational angle matters increasingly. Cardiff consumers and B2B buyers are more privacy-aware than five years ago. A privacy incident — even a small one — can damage trust with customers you've spent years building relationships with.

Getting GDPR-Ready: A Cardiff Business Action Plan

Here's a practical starting checklist for Cardiff businesses:

Week 1: Audit

  • List all tools on your website that process personal data
  • Check if your cookie consent mechanism is compliant (use a tool like cookiecheck.com or the ICO's website checker)
  • Review your current privacy policy

Week 2: Fix the Obvious

  • Implement a compliant consent management platform
  • Update your privacy policy to be accurate and specific
  • Remove pre-checked marketing boxes from any forms

Week 3: Administration

  • Register with the ICO if you haven't already
  • Designate a data requests contact
  • Create a simple process for handling SARs

Ongoing

  • Review your privacy policy annually
  • Update when you add new tools
  • Respond to data subject requests within one month
  • Train any staff who handle personal data

How Caversham Digital Builds GDPR-Compliant Cardiff Websites

At Caversham Digital, GDPR compliance is built into our web design and development process for Cardiff clients. We don't bolt it on as an afterthought.

Every site we build includes:

  • A properly configured consent management platform
  • Cookie categorisation (necessary, analytics, marketing)
  • A customised privacy policy template for your review with a solicitor
  • Analytics configured to respect consent (Google Analytics with consent mode v2)
  • Privacy-safe embed alternatives where available

We can also audit existing Cardiff websites for GDPR compliance as a standalone service — identifying issues and providing a prioritised fix list.

Concerned about your Cardiff website's GDPR compliance? Contact Caversham Digital for a compliance audit or to discuss building a new, compliant site from scratch.

Related guides: Why Cardiff Businesses Need Professional Web Design | WordPress vs Next.js for Cardiff Businesses

Tags

GDPR CardiffGDPR compliance Walescookie consent CardiffICO registration Walesprivacy policy Cardiffdata protection CardiffGDPR website CardiffCardiff SME GDPRUK GDPR 2026
CD

Caversham Digital

The Caversham Digital team brings 20+ years of hands-on experience across AI implementation, technology strategy, process automation, and digital transformation for UK businesses.

About the team →

Related Articles

Need help implementing this?

Start with a conversation about your specific challenges.

Talk to our AI →