GDPR doesn't have to be scary. If you're a small business with a contact form, here's exactly what you need to know — no legal jargon, just practical steps.
Disclaimer: This is general guidance, not legal advice. For complex situations, consult a solicitor or data protection specialist.
Does GDPR apply to my small business?
Yes. If you collect any personal data from people in the UK or EU — which includes names, email addresses, and phone numbers through your contact form — GDPR applies to you.
The good news: compliance for a simple contact form isn't complicated. You don't need expensive software or a dedicated data protection officer. You just need to follow some basic principles.
The 5 things your contact form needs
1. Clear purpose statement
Tell visitors what you'll do with their information. This doesn't need to be lengthy — a single sentence works:
"We'll use your details to respond to your enquiry. We won't share your information with third parties or add you to marketing lists."
Place this near your form, either above the submit button or directly beneath it.
2. Link to your privacy policy
Your form should link to a full privacy policy. The link text should be clear:
"By submitting this form, you agree to our Privacy Policy."
Don't bury this in tiny grey text. Make it readable.
3. Only collect what you need
GDPR's "data minimisation" principle means you should only ask for information you actually need. For most contact forms, that's:
- Name (to address them properly)
- Email or phone (to respond)
- Message (to understand their enquiry)
Do you really need their address, company name, or date of birth just to respond to an enquiry? Probably not. Every additional field you add needs justification.
4. Separate consent for marketing
If you want to add people to your newsletter or marketing list, you need separate, explicit consent. This means:
- An unchecked checkbox (not pre-ticked)
- Clear wording about what they're signing up for
- The ability to easily unsubscribe later
Example:
☐ Yes, I'd like to receive occasional updates and offers by email. You can unsubscribe at any time.
Never automatically add enquiries to your marketing list. That's a GDPR violation and will annoy potential customers.
5. Secure data handling
Your form submissions need to be handled securely:
- HTTPS: Your entire site should use HTTPS (the padlock in the browser). This encrypts data in transit.
- Secure storage: Where do form submissions go? If they're emailed to you, your email should be secure. If stored in a database, it should be protected.
- Access control: Only people who need access to enquiries should have it.
Your privacy policy: what to include
Your privacy policy should cover:
- Who you are: Business name and contact details
- What data you collect: List the types (names, emails, etc.)
- Why you collect it: To respond to enquiries, provide services, etc.
- How long you keep it: Be specific (e.g., "We delete enquiry data after 2 years")
- Who you share it with: List any third parties (email providers, CRM systems)
- People's rights: Right to access, correct, or delete their data
- How to contact you: For data-related requests
Keep it in plain English. A privacy policy nobody can understand doesn't help anyone.
Sample GDPR-compliant form layout
Here's a template structure you can adapt:
<form>
<label for="name">Name *</label>
<input type="text" id="name" required>
<label for="email">Email *</label>
<input type="email" id="email" required>
<label for="phone">Phone (optional)</label>
<input type="tel" id="phone">
<label for="message">Message *</label>
<textarea id="message" required></textarea>
<!-- Marketing consent (optional) -->
<label>
<input type="checkbox" name="marketing">
Yes, send me occasional updates by email
</label>
<p class="privacy-notice">
We'll use your details to respond to your enquiry.
See our <a href="privacy.html">Privacy Policy</a>.
</p>
<button type="submit">Send Message</button>
</form>What about cookies and analytics?
Contact forms themselves don't require cookie consent — they're necessary for your website to function. However, if you're tracking form submissions with analytics tools like Google Analytics or Matomo, that's a separate consent issue.
The safest approach:
- Use privacy-focused analytics (Matomo with anonymisation, or Plausible)
- Implement a cookie consent banner for any non-essential tracking
- Allow the contact form to work without analytics consent
Handling data subject requests
Under GDPR, people can ask you to:
- Access their data: Show them what you hold about them
- Correct their data: Fix any mistakes
- Delete their data: Remove their information entirely
- Export their data: Provide it in a portable format
For small businesses with simple contact forms, these requests are rare. When they happen:
- Respond within 30 days
- Verify their identity first
- Search your emails and any CRM for their data
- Provide or delete as requested
Keep a record that you complied with the request.
Common mistakes to avoid
- Pre-ticked marketing checkboxes: Illegal under GDPR. Consent must be actively given.
- Bundled consent: "By submitting, you agree to receive marketing" isn't valid. Marketing consent must be separate from enquiry consent.
- No privacy policy: Every website collecting personal data needs one.
- Keeping data forever: Set a retention period and stick to it.
- Ignoring subject access requests: You're legally required to respond within 30 days.
Quick compliance checklist
- ☐ Form only collects necessary information
- ☐ Clear statement about data use near the form
- ☐ Link to privacy policy
- ☐ Separate, unchecked checkbox for marketing consent
- ☐ Website uses HTTPS
- ☐ Privacy policy exists and is comprehensive
- ☐ Data retention period defined
- ☐ Process for handling data requests
Need help?
Every website I build includes GDPR-compliant contact forms, privacy policies, and cookie consent. It's all part of the package — no extra charge, no legal headaches for you.
Get in touch if you'd like a website that's compliant from day one.