SSL, GDPR and cookies: what UK businesses need to know

Website compliance sounds intimidating, but it doesn't have to be. Here's a straightforward guide to the three things every UK business website needs to get right.

SSL certificates — the padlock in your browser

What is SSL?

SSL (Secure Sockets Layer) encrypts the connection between your website and your visitors' browsers. You can tell a site has SSL when the URL starts with "https://" instead of "http://". Most browsers show a padlock icon next to secure sites.

Why you need it

Three reasons:

• Security — SSL encrypts data in transit. If someone fills in a contact form on your site, SSL prevents that information from being intercepted. This is especially critical for payment details, but applies to all personal data.
• Google ranking — Google has used HTTPS as a ranking signal since 2014. Sites without SSL are ranked lower.
• Trust — Chrome and other browsers now mark non-HTTPS sites as "Not Secure" in the address bar. That warning alone scares visitors away.

How to get it

Most modern hosting providers include free SSL certificates via Let's Encrypt. If yours doesn't, it's time to switch. At Omotra, SSL is included in every package — you don't need to think about it.

UK GDPR — the data protection rules

What is UK GDPR?

The UK General Data Protection Regulation is the UK's version of the EU's GDPR, retained after Brexit. It governs how businesses collect, store, and use personal data. The regulator is the Information Commissioner's Office (ICO).

What it means for your website

If your website collects any personal data — names, email addresses, phone numbers, IP addresses — you need to comply. In practical terms, this means:

1. Privacy policy

Every website that collects data must have a privacy policy that explains:

• What data you collect and why
• How you store it and for how long
• Who you share it with (including third-party services like Google Analytics or Mailchimp)
• How people can request their data be deleted
• Your contact details as the data controller

This needs to be written in plain English, not legalese. The ICO provides templates and guidance on their website.

2. Lawful basis for processing

You need a legal reason to collect and use personal data. For most small business websites, the two relevant bases are:

• Consent — the person actively agreed (e.g., ticking a box on a contact form)
• Legitimate interest — you have a reasonable business reason (e.g., responding to an enquiry someone sent you)

3. Data minimisation

Only collect what you actually need. If your contact form asks for name, email, phone, address, date of birth, company size, annual revenue, and favourite colour — that's too much. Name, email, and their message is usually sufficient.

4. ICO registration

Most businesses that process personal data need to register with the ICO and pay a small annual fee (£40 for most small businesses). You can check whether you need to register using the ICO's self-assessment tool.

Penalties

The maximum fine for serious GDPR breaches is £17.5 million or 4% of annual turnover. In practice, the ICO tends to issue smaller fines and enforcement notices for small businesses, but it's not a risk worth taking — especially when compliance is straightforward.

Cookie consent — the popup everyone ignores

What are cookies?

Cookies are small files stored in a visitor's browser. They're used for everything from remembering login sessions to tracking which pages someone visits. The rules around them come from the Privacy and Electronic Communications Regulations (PECR), which work alongside GDPR.

What the law requires

The rules are simpler than most people think:

• Strictly necessary cookies don't need consent. These are cookies essential for the site to function — login sessions, shopping baskets, security tokens.
• Everything else needs consent before being set. This includes analytics cookies (Google Analytics), advertising cookies, social media tracking pixels, and personalisation cookies.

The key word is "before." You can't load Google Analytics and then ask permission. You need to ask first, and only load the tracking script if the visitor agrees.

What a compliant cookie banner looks like

A proper cookie consent banner should:

• Appear before any non-essential cookies are set
• Give a genuine choice — "Accept" and "Reject" buttons, not just "Accept" and "Manage settings"
• Not use dark patterns (making "Accept" a big green button and "Reject" a tiny grey link)
• Remember the visitor's choice so they're not asked every page
• Link to your cookie policy

The practical approach

If your website only uses essential cookies (no analytics, no tracking, no advertising), you don't need a cookie banner at all. This is actually the simplest compliant approach — and it's what we recommend for most small business sites.

If you do use Google Analytics or similar tracking, implement a proper consent management platform. Free options like Cookiebot's free tier or Osano work well for small sites.

A compliance checklist

• SSL certificate installed and working (HTTPS)
• Privacy policy page, written in plain English
• Contact forms only collect necessary data
• ICO registration (if applicable)
• Cookie consent banner (if using non-essential cookies)
• Analytics only loads after consent (if applicable)
• Data retention policy (how long you keep enquiries)

None of this is difficult. It just needs doing properly from the start.