How to Build a GDPR-Compliant Website for Your Welsh Business

If you're running a website for your Welsh business in 2026, GDPR compliance isn't optional. It's a legal requirement that carries significant fines for non-compliance — up to £17.5 million or 4% of global annual turnover, whichever is higher.

That might sound alarming, but here's the truth: GDPR compliance for most Cardiff and Welsh SMEs isn't complicated. It's a set of clear, achievable steps that protect your customers and your business.

This guide walks through exactly how to build and maintain a GDPR-compliant website for your Welsh business, from cookie consent to privacy policies, with practical examples and references to ICO (Information Commissioner's Office) guidance.

What Is GDPR and Why Does It Matter for Welsh Businesses?

The General Data Protection Regulation (GDPR) is UK and EU law governing how businesses collect, store, and use personal data. Despite Brexit, the UK retained GDPR through the UK Data Protection Act 2018, which means Welsh businesses must comply whether they operate locally in Cardiff, across the UK, or internationally.

Personal data includes any information that can identify an individual:

• Names, email addresses, phone numbers
• IP addresses and device identifiers
• Cookie data and browsing behavior
• Form submissions and enquiry details

If your Welsh business website collects any of this — which almost all websites do — you must comply with GDPR.

The ICO enforces GDPR in the UK and Wales. Non-compliance can result in:

• Fines up to £17.5 million or 4% of turnover
• Enforcement notices requiring immediate changes
• Reputational damage and loss of customer trust

For most Cardiff SMEs, the risk isn't massive fines — it's smaller enforcement actions, complaints, and the erosion of customer trust that comes from poor data handling.

The Core GDPR Principles Every Welsh Website Must Follow

GDPR is built on seven principles that govern how you handle personal data:

1. Lawfulness, fairness, and transparency You must have a legal basis for processing data and be clear with users about what you're doing with their information.

2. Purpose limitation Only collect data for specific, legitimate purposes. Don't gather email addresses "just in case" — know why you need them.

3. Data minimisation Collect only the data you actually need. If you only need a name and email for a newsletter, don't ask for phone numbers and addresses.

4. Accuracy Keep data accurate and up to date. Allow users to correct their information.

5. Storage limitation Don't keep personal data longer than necessary. If someone filled in a quote form two years ago and never responded, delete their data.

6. Integrity and confidentiality (security) Protect data from unauthorised access, loss, or damage. Use HTTPS, secure hosting, strong passwords, and encryption where appropriate.

7. Accountability You must be able to demonstrate compliance. Keep records of what data you collect, why, and how you protect it.

These principles underpin everything else in this guide. Every GDPR compliance step for your Welsh business website should align with these.

Step 1: Conduct a Data Audit for Your Welsh Business Website

Before you can comply with GDPR, you need to know what data your website collects and why.

Ask yourself:

• What forms are on my website? (Contact forms, quote requests, newsletter signups, job applications, etc.)
• What information do these forms collect? (Name, email, phone, address, company details, etc.)
• What analytics tools am I using? (Google Analytics, Facebook Pixel, Hotjar, etc.)
• What cookies does my site set? (Analytics, advertising, functional, session cookies)
• Where is this data stored? (Your hosting server, email marketing platform, CRM, Google Sheets, etc.)
• Who has access to this data? (You, your staff, contractors, third-party platforms)
• How long do I keep this data? (Indefinitely, one year, until the customer asks to be deleted, etc.)

For a typical Cardiff small business website, this might look like:

Example: Cardiff Accountancy Firm

• Contact form collects: name, email, phone, company name, message
• Newsletter signup collects: email, first name
• Analytics: Google Analytics 4 (collects IP addresses, browsing behavior, device info)
• Cookies: Google Analytics cookies, session cookies for form functionality
• Storage: Form submissions stored in Gmail and Google Sheets; newsletter emails stored in MailChimp
• Access: Two directors and one admin assistant
• Retention: Contact form enquiries kept for two years; newsletter subscribers kept until they unsubscribe

This audit forms the foundation of your GDPR compliance documentation and privacy policy.

Step 2: Ensure You Have a Legal Basis for Data Processing

GDPR requires that you have a lawful basis for processing personal data. For Welsh business websites, the most common legal bases are:

1. Consent The user has given clear, affirmative consent for you to process their data. This applies to:

• Newsletter signups
• Marketing emails
• Non-essential cookies (analytics, advertising)

Consent must be:

• Freely given (no pre-ticked boxes)
• Specific (separate consent for different purposes)
• Informed (user knows what they're consenting to)
• Unambiguous (clear affirmative action, like clicking "I agree")
• Withdrawable (easy to unsubscribe or opt out)

2. Legitimate Interest Processing is necessary for your legitimate business interests, as long as it doesn't override the user's rights. This often applies to:

• Essential website functionality
• Fraud prevention and security
• Direct marketing to existing customers (with easy opt-out)

You must document why you believe legitimate interest applies and how you balanced it against user rights.

3. Contract Processing is necessary to fulfill a contract with the user. This applies to:

• Processing an order
• Delivering a service the user requested
• Managing a customer account

4. Legal Obligation Processing is required by law. This applies to:

• Keeping financial records for tax purposes
• Complying with employment law

For most Welsh SME websites, consent and legitimate interest are the most relevant bases.

Step 3: Implement Proper Cookie Consent

Cookies are one of the most visible and commonly misunderstood aspects of GDPR compliance for websites.

What are cookies? Small text files stored on a user's device that track behavior, remember preferences, or enable functionality.

Types of cookies:

Strictly necessary cookies — Required for the website to function (e.g., session cookies, security cookies). These do not require consent under GDPR.

Functional cookies — Improve user experience (e.g., remembering language preference). Generally require consent.

Analytics cookies — Track how users interact with the site (e.g., Google Analytics). Require consent.

Advertising cookies — Track users for targeted advertising (e.g., Facebook Pixel, Google Ads remarketing). Require consent.

GDPR-compliant cookie consent means:

1. A clear, visible cookie banner appears before any non-essential cookies are set.

2. Users can accept or reject cookies. Pre-ticked boxes are not compliant.

3. Granular control where appropriate. For sites with multiple cookie types (analytics, advertising, functional), users should be able to accept some and reject others.

4. No cookies set until consent is given. This is critical — you can't set Google Analytics cookies and then ask for consent after.

5. Easy to withdraw consent. Users should be able to change their cookie preferences at any time.

6. Cookie policy or declaration that explains what cookies you use, why, and how long they last.

Recommended tools for Welsh businesses:

• CookieYes — Free tier available, GDPR-compliant banner, easy setup
• Cookiebot — Automatic cookie scanning, granular consent, integrates with common platforms
• Complianz — WordPress plugin, scans site for cookies, generates compliant banner

Avoid generic cookie notices that say "This site uses cookies" with only an "Accept" button. That's not GDPR-compliant.

Step 4: Create a Comprehensive Privacy Policy

Your privacy policy is a legal requirement under GDPR. It must clearly explain how you collect, use, store, and protect personal data.

What your Welsh business website privacy policy must include:

1. Who you are

   • Your business name and contact details
   • Data Protection Officer contact (if you have one — most SMEs don't need one)

2. What data you collect

   • Contact form details
   • Newsletter signups
   • Analytics data
   • Cookie information
   • Any other personal data

3. Why you collect it (legal basis)

   • Consent (for marketing emails)
   • Contract (to process orders)
   • Legitimate interest (for analytics, fraud prevention)

4. How you use it

   • To respond to enquiries
   • To send marketing emails (if consented)
   • To improve website performance

5. Who you share it with

   • Email marketing platforms (MailChimp, ConvertKit, etc.)
   • Analytics providers (Google Analytics)
   • Hosting providers
   • Payment processors (Stripe, PayPal)
   • Any other third parties

6. How long you keep it

   • Be specific. "We keep contact form enquiries for two years" is better than "as long as necessary."

7. User rights under GDPR

   • Right to access their data
   • Right to rectification (correct errors)
   • Right to erasure ("right to be forgotten")
   • Right to restrict processing
   • Right to data portability
   • Right to object
   • Right to withdraw consent
   • Right to complain to the ICO

8. How users can exercise their rights

   • Provide a clear email address or contact method

9. Security measures

   • How you protect data (HTTPS, secure hosting, encryption, access controls)

10. International transfers (if applicable)

    • If you use US-based services (like Google Analytics or MailChimp), mention that data may be transferred internationally and what safeguards are in place

Example snippet for a Cardiff business:

"When you fill in our contact form, we collect your name, email address, phone number, and message. We use this information to respond to your enquiry (legal basis: legitimate interest and contract). Your details are stored securely on our UK-based hosting server and in our Gmail account. We do not share your information with third parties for marketing purposes. We keep contact form submissions for two years, after which they are deleted. You have the right to request access to, correction of, or deletion of your data at any time by emailing [email protected]."

Where to link your privacy policy:

• In the footer of every page
• On contact forms, newsletter signups, and checkout pages
• In your cookie consent banner

The ICO provides a privacy notice template specifically for small businesses, which is a good starting point for Welsh SMEs.

Step 5: Secure Your Website and Data

GDPR requires that you protect personal data from unauthorised access, loss, or damage. For Welsh business websites, this means implementing basic but essential security measures.

1. Use HTTPS All websites should use HTTPS (SSL/TLS encryption). This encrypts data sent between the user's browser and your server, protecting sensitive information like form submissions.

Most hosting providers offer free SSL certificates via Let's Encrypt. If your site still uses HTTP (not HTTPS), this is a priority fix.

2. Choose secure hosting Your hosting provider should:

• Provide regular backups
• Have robust security measures (firewalls, DDoS protection)
• Be compliant with GDPR themselves (particularly if they're based outside the UK)
• Store data in secure data centers

For Welsh businesses, UK-based hosting is often preferable for data residency and compliance simplicity.

3. Keep software updated If you use WordPress, Drupal, or other CMS platforms:

• Update core software regularly
• Update plugins and themes
• Remove unused plugins and themes
• Use security plugins (e.g., Wordfence, iThemes Security for WordPress)

4. Use strong passwords and access controls

• Require strong passwords for admin access
• Use two-factor authentication (2FA) where available
• Limit admin access to only those who need it
• Regularly review who has access and revoke access for former employees or contractors

5. Secure forms

• Use CAPTCHA or honeypot fields to prevent spam and bot submissions
• Validate and sanitize all form inputs to prevent SQL injection and XSS attacks

6. Regular backups

• Automate daily or weekly backups
• Store backups securely, separate from your live site
• Test restoring from backups periodically

7. Data encryption For particularly sensitive data (e.g., health records, financial information), consider encrypting data at rest and in transit.

Step 6: Respect User Rights

GDPR gives individuals specific rights over their personal data. Your Welsh business must be able to honor these requests.

1. Right to access (Subject Access Request) Users can request a copy of all personal data you hold about them. You must respond within one month, free of charge (in most cases).

How to handle this:

• Have a process in place to search your systems (email, CRM, databases)
• Provide data in a clear, accessible format (PDF or CSV)
• Verify the requester's identity before disclosing data

2. Right to rectification Users can request that you correct inaccurate or incomplete data.

How to handle this:

• Allow users to update their own details where possible (e.g., account settings)
• Respond to correction requests within one month

3. Right to erasure ("right to be forgotten") Users can request deletion of their data in certain circumstances.

How to handle this:

• Delete data from all systems (website database, email, CRM, backups where feasible)
• Respond within one month
• Note: You may have legal obligations to retain some data (e.g., financial records for tax purposes). In these cases, explain why you cannot delete certain data.

4. Right to data portability Users can request their data in a machine-readable format (e.g., CSV, JSON) to transfer to another service.

5. Right to object Users can object to certain types of processing, particularly direct marketing.

How to handle this:

• Provide easy unsubscribe links in all marketing emails
• Honor objections immediately (e.g., remove from mailing lists)

For most Cardiff SMEs, the most common requests are:

• Access requests (users wanting to know what data you hold)
• Erasure requests (users wanting to be deleted from mailing lists or databases)

Have a clear process and a designated email address (e.g., [email protected]) for handling these requests.

Step 7: Review Third-Party Services and Data Processors

Your Welsh business website likely uses third-party services — email marketing platforms, analytics tools, CRM systems, payment processors. Under GDPR, these are "data processors," and you remain responsible for how they handle your customers' data.

Common third-party services for Welsh businesses:

• Google Analytics
• MailChimp, ConvertKit, or other email marketing platforms
• CRM systems (HubSpot, Salesforce, Pipedrive)
• Payment processors (Stripe, PayPal, GoCardless)
• Live chat tools (Intercom, Drift, Tawk.to)
• Form builders (Typeform, JotForm, Google Forms)

What you must do:

1. Ensure they are GDPR-compliant

   • Check their privacy policies and GDPR documentation
   • Most reputable platforms (Google, MailChimp, Stripe) are GDPR-compliant, but verify

2. Sign Data Processing Agreements (DPAs)

   • A DPA is a contract that outlines how the third party will handle data on your behalf
   • Most platforms provide standard DPAs; sign them

3. Review data transfer mechanisms

   • If you use US-based services, check what legal mechanisms are in place for international data transfers (e.g., Standard Contractual Clauses)

4. Disclose third parties in your privacy policy

   • List the platforms you use and link to their privacy policies

5. Minimize data sharing

   • Only share the minimum data necessary with third parties
   • Avoid integrations that sync more data than you need

Step 8: Implement Data Retention and Deletion Policies

GDPR requires that you don't keep personal data longer than necessary. This means setting clear retention periods and actively deleting old data.

Example retention policies for a Cardiff business:

• Contact form enquiries: Keep for two years, then delete (unless they became a customer, in which case different rules apply)
• Newsletter subscribers: Keep until they unsubscribe
• Customer records: Keep for six years (to comply with tax and accounting obligations), then delete
• Analytics data: Anonymize or delete after 26 months (Google Analytics 4 default)

How to implement this:

1. Document your retention periods in your privacy policy and internal records.

2. Set calendar reminders to review and delete old data quarterly or annually.

3. Automate where possible. Many CRM and email platforms allow you to set automatic deletion rules.

4. Securely delete data. Don't just archive it — actually delete it from systems and backups where feasible.

Step 9: Train Your Team

If your Welsh business has staff who handle customer data — whether that's responding to emails, processing orders, or managing the website — they need to understand GDPR.

Key training points:

• What personal data is and why it matters
• The importance of data security (strong passwords, not sharing login details)
• How to handle data access, correction, and deletion requests
• What to do in case of a data breach
• Not sharing customer data inappropriately

For small Cardiff businesses, this doesn't need to be formal training — a brief meeting and written guidelines are sufficient. Document that training took place.

Step 10: Have a Data Breach Response Plan

A data breach is any incident where personal data is accessed, lost, or disclosed without authorization. Examples include:

• Website hacked and customer database stolen
• Laptop with customer data lost or stolen
• Email sent to wrong recipient containing personal information
• Ransomware attack encrypting customer data

Under GDPR, you must:

1. Report certain breaches to the ICO within 72 hours if the breach is likely to result in a risk to individuals' rights and freedoms.

2. Notify affected individuals if the breach is likely to result in a high risk to their rights and freedoms.

What your breach response plan should include:

1. Immediate containment

   • Stop the breach (e.g., take the compromised system offline, change passwords)

2. Assess the breach

   • What data was affected?
   • How many individuals?
   • What's the risk to those individuals?

3. Notify the ICO (if required)

   • Report within 72 hours via the ICO's online reporting tool
   • Include details of the breach, data affected, likely consequences, and remedial actions

4. Notify affected individuals (if required)

   • Explain what happened, what data was affected, and what they should do

5. Document the breach

   • Keep records of all breaches, even if they don't require reporting
   • Record what happened, the effects, and the remedial action taken

6. Review and improve

   • Identify how the breach occurred and implement measures to prevent recurrence

For most Cardiff SMEs, the likelihood of a major breach is low, but having a plan ensures you respond correctly if one occurs.

Common GDPR Mistakes Welsh Businesses Make (and How to Avoid Them)

1. Using pre-ticked consent boxes Consent must be an active choice. Pre-ticked boxes for newsletter signups or marketing emails are not GDPR-compliant.

Fix: Use unticked boxes and clear, plain language like "I consent to receiving marketing emails from [Your Business]."

2. Not having a privacy policy or having an outdated one Many Welsh business websites either have no privacy policy or one that's generic and doesn't reflect what the site actually does.

Fix: Create a specific privacy policy based on your data audit. Review it annually.

3. Setting analytics cookies before consent Many sites load Google Analytics or Facebook Pixel before the user consents to cookies.

Fix: Use a GDPR-compliant cookie consent tool that blocks non-essential cookies until consent is given.

4. No easy way to unsubscribe Every marketing email must have a clear, one-click unsubscribe option.

Fix: Use a reputable email marketing platform (MailChimp, ConvertKit) that includes compliant unsubscribe links automatically.

5. Keeping data indefinitely Many Cardiff businesses never delete old enquiries, unsubscribed contacts, or inactive customer records.

Fix: Set retention periods and schedule regular data deletion.

6. Not securing forms Contact forms without HTTPS, CAPTCHA, or input validation can expose customer data or be exploited.

Fix: Use HTTPS, add CAPTCHA, and validate inputs.

7. Ignoring subject access requests Failing to respond to a data access or deletion request within one month is a GDPR violation.

Fix: Set up a clear process and email address for handling requests.

Tools and Resources for Welsh Businesses

ICO Resources:

• ICO Guide for Small Businesses: https://ico.org.uk/for-organisations/sme-web-hub/
• Privacy notice template: https://ico.org.uk/for-organisations/make-your-own-privacy-notice/
• Data breach reporting tool: https://ico.org.uk/for-organisations/report-a-breach/

Cookie Consent Tools:

• CookieYes (free tier available)
• Cookiebot
• Complianz (WordPress plugin)

Privacy Policy Generators:

• ICO privacy notice generator
• TermsFeed
• Freeprivacypolicy.com

Email Marketing Platforms (GDPR-compliant):

• MailChimp
• ConvertKit
• Sendinblue (Brevo)

Security Plugins (WordPress):

• Wordfence
• iThemes Security
• Sucuri

The Bottom Line for Welsh Businesses

GDPR compliance for your Welsh business website isn't about filling in checklists or copying generic policies. It's about genuinely respecting your customers' data, being transparent about how you use it, and protecting it properly.

For most Cardiff and Welsh SMEs, GDPR compliance involves:

• A clear privacy policy
• Proper cookie consent
• Secure hosting and HTTPS
• Processes for handling user rights
• Regular data deletion
• Honest, transparent communication

None of this is particularly complex or expensive. What it requires is attention, honesty, and a commitment to doing things properly.

If you're unsure whether your Welsh business website is GDPR-compliant, the best step is to conduct the data audit outlined in this guide and work through each compliance step systematically. For complex sites or high-risk processing, consider consulting a data protection specialist or solicitor with GDPR expertise.

The ICO is not out to fine small Welsh businesses for minor oversights. Their focus is on serious violations and businesses that ignore compliance entirely. If you make a genuine effort to comply, document your processes, and respond properly to any issues, you're in a strong position.

Ultimately, GDPR compliance is good for your business. It builds customer trust, reduces data liability, and ensures you're handling data professionally. For Welsh businesses operating in 2026, it's simply part of doing business responsibly online.