GDPR and website security: what UK businesses are actually required to do
GDPR requires appropriate technical security measures to protect personal data — here is what that means in practice for a UK small business website in 2026.
Here's a scenario that plays out often enough to be a pattern, not a one-off: a small business receives a letter from the ICO following a data breach. A contact form on their website had been sending submissions in plaintext over an unencrypted connection, and a significant number of enquiries containing personal details had been intercepted over several months. The business didn't know this was happening. They didn't know plaintext form submissions over HTTP were a risk. They'd never been told that "appropriate technical security measures" under GDPR included anything specific about how their website handled the data it collected.
GDPR's requirement for appropriate technical security is real, enforceable, and has specific practical implications for any UK business website that collects, stores, or transmits personal data. Which is almost every business website.
What GDPR actually requires on security
Article 32 of UK GDPR requires that organisations implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk. It doesn't specify a particular technology, a specific standard, or a named set of controls, which is the source of much confusion about what's actually required.
What it does make clear is that security measures should account for the state of the art, the costs of implementation, the nature and purpose of the processing, and the likelihood and severity of risk to individuals. In plain English: you're expected to do what's reasonable given what's available, what data you're handling, and how bad it would be if that data were compromised. The ICO's enforcement decisions consistently reflect an expectation that basic, well-understood security measures are in place.
What that means for your website specifically
For a business website collecting personal data through a contact form, enquiry page, or booking system, the minimum reasonable baseline under GDPR includes a valid SSL certificate ensuring data is encrypted in transit, basic access controls on any system where personal data is stored, and some form of organisational measure covering how data is handled and how long it's retained.
A website running over HTTP rather than HTTPS, submitting form data unencrypted, fails this baseline regardless of what your privacy policy says. SSL is table stakes, not an optional extra, when personal data is involved.
Beyond SSL, the security header configuration on your website is directly relevant to the security of data collected through it. A missing Content Security Policy leaves your site open to cross-site scripting attacks that could capture what visitors type into your forms. A missing X-Frame-Options header leaves it open to clickjacking attacks that can intercept form submissions by overlaying a deceptive frame. These aren't theoretical risks for a business processing hundreds of personal enquiries a month.
The ICO's actual enforcement approach
The ICO doesn't pursue every security incident. Its enforcement priorities tend to focus on organisations processing significant volumes of personal data, breaches with serious consequences for individuals, and cases where basic, known security measures were absent and the organisation should have known better.
For small businesses, the practical risk of ICO enforcement is lower than for large organisations processing sensitive data at scale. But "lower risk of enforcement" and "no obligation" are not the same thing, and a breach that affects customers, even without ICO enforcement, carries its own reputational and commercial consequences.
How Cyber Essentials relates to GDPR
Cyber Essentials is a UK government-backed security certification, not a GDPR compliance framework, but achieving it provides meaningful evidence of appropriate technical measures under Article 32. An organisation that has passed Cyber Essentials has documented, verified baseline security controls in place, which is a stronger position than having nothing formal at all if a question is ever asked about whether security was taken seriously.
The controls that overlap are substantial: secure configuration of internet-facing systems, access control, malware protection, and patching all appear in both Cyber Essentials and in the kinds of measures the ICO would expect to see applied.
Frequently asked questions
Does GDPR require a specific technical standard like ISO 27001 or Cyber Essentials? No, GDPR doesn't mandate a specific standard. Both are evidence of appropriate technical measures, but neither is required. What's required is that appropriate measures are in place, and certification is one way of demonstrating that.
What counts as personal data on a website? Any information that identifies or could identify a living individual. A contact form collecting a name and email address is personal data. An enquiry that includes a phone number and job title is personal data. IP addresses can be personal data in certain contexts.
Do we need to notify the ICO if our website is breached? If a breach is likely to result in a risk to individuals' rights and freedoms, yes, the ICO must be notified within 72 hours of becoming aware of it. If the risk is high, affected individuals must also be notified directly.
Our website is just a brochure site with no forms. Does GDPR still apply? Your website collects personal data if it runs analytics that log IP addresses, uses cookies that track individual behaviour, or has contact details that lead people to contact you in ways that generate personal data, so the answer for most brochure sites is still yes to some degree.
Is there a fine for not having HTTPS on a website under GDPR? Not automatically, but a breach facilitated by the absence of basic security measures like HTTPS is exactly the kind of situation where the ICO would consider whether the absence of appropriate technical measures contributed to the harm, and take that into account in any enforcement decision.
Run a free scan of your domain to check your website's security configuration against the technical baseline a UK business collecting personal data should have in place: olimpio.io/free-scan