GDPR Compliance: 57% of SME websites make basic errors

Private door

Table of Contents:

  • Penalty if you don’t comply (the risk) – link
  • Quick summary of our key findings – link
  • Four GDPR checks we’ve analyzed – link
  • Conclusion – link

We analyzed 93,000 SME websites in Germany, Austria and the UK to better understand their compliance with GDPR rules. Specifically, we looked at four key factors that make up the fundamentals of SME website GDPR compliance.

In short, it’s not looking good for SME websites.

You’re probably asking yourself: “How does this help me as a digital marketing agency?!” 
Answer: There is a huge opportunity to educate your SME clients about their responsibilities when it comes to data protection law and to help them get compliant 💪 🎉

Pie chart showing 57% of SME websites do not comply with GDPR

Too long to read?
Test any website in 60 seconds to see if they are GDPR compliant using Insites

Penalty if you don’t comply with GDPR (the risk SMEs face) 😰

SMEs failing to adhere to the GDPR could face a serious fine, depending on the severity of the breach.

Severity of infringementsFine amount
Less severeA fine of up to €10 million, or 2% of the firm’s worldwide annual revenue from the preceding financial year, whichever amount is higher.
More seriousA fine of up to €20 million, or 4% of the firm’s worldwide annual revenue from the preceding financial year, whichever amount is higher.

Source: GDPR.EU/Fines

From the above table, you can understand the importance of being GDPR compliant.


  • Amazon faces £300 million fine for GDPR breaches – read now
  • GDPR fines nearly hit €300M in three years – read now

Let’s get right into the data.

Here’s a quick summary of our key findings

  • 11% of websites were missing an SSL certificate
  • Nearly 63% of SMEs have no link to a Privacy Policy
  • Over 50% of SMEs have no Cookie Banner enabled on their website
  • Almost 50% have no link to a Cookie Policy

What GDPR compliance checks did we look at?

GDPR is a complex regulation, but for SMEs and their websites, it is relatively straightforward. At a fundamental level, SMEs should be providing their website visitors clear information on what data is collected, how it is/could be used, and the option to actively opt-in (versus opt-out) when filling out forms.

To keep it simple, we looked to see if a website has the following:

  • Is there an SSL certificate?
  • Is there a link to a Privacy Policy?
  • Is there a Cookie banner?
  • Is there a link to a Cookie Policy?

Note that GDPR compliance is a complex legal issue – the presence (or lack) of these factors is no guarantee of compliance (or violation). Always check with a legal professional if you’re concerned about any data privacy matters.

Check 1: Most SMEs are using SSL on their websites

Only 11% of websites were failing to use SSL to encrypt customer data.  While it is not necessary to use SSL to be GDPR compliant, businesses are responsible as a data controller or a data processor to keep information secure, which SSL helps to do.

This is a good result and is possibly related to hosting companies bundling this as part of their offer, heightened awareness of security, and the increased use of eCommerce tools by SMEs.

Check 2: Nearly 63% of SMEs have no link to a Privacy Policy

With privacy issues regularly making front-page news, it is shocking that 63% of our sample don’t have a privacy policy on their website.  Not only is there a legal requirement for a privacy policy, but it is also required by third parties such as Google and Apple. For example, websites using Google Analytics must have a posted privacy policy as part of Google’s terms of service.

While some argue that having a Privacy Policy builds trust, the only argument that really stands up is the legal one.  If you don’t have it, you are probably violating the law, and a consumer can pursue you through the appropriate regulatory and legal channels. 

Check 3: Over 50% have no Cookie Banner

Many people are annoyed by dismissing cookie banners when visiting a website, but gaining consent is a requirement if you have EU visitors and you track/collect personal data.  The cookie banner meets a key requirement in GDPR – you must gain active consent and it is not sufficient to merely allow visitors to “opt-out”.

The good news for “cookie banner haters” is that over 50% of our sample didn’t have one. The bad news for the businesses is they could be violating the law.

Remember, while today there is a focus on Cookies, the law is not just a “cookie” law.  It is broad enough to cover any tracking tools and technologies such as local storage. It will also apply any new solutions that come on the market.

Check 4: Almost 50% have no link to a Cookie Policy

Going hand-in-hand with a cookie banner is having a cookie policy that clearly spells out what cookies are active on your site, their purpose, what user information/date they track and where the data is sent/processed. Sometimes this is included as part of the privacy policy or listed within the cookie banner.

That said, approximately 50% of the websites in our study did not link to a stand-alone cookie policy. 

Help your Customers & Prospects avoid potentially costly errors
Insites can tell you in seconds if a business is missing any of these key GDPR compliance features.


Nothing much seems to have changed since the study in 2019. Some have embraced the requirements, and others are still “meh 🤷🏻‍♀️”.

Today, there is very little enforcement activity on SMEs as regulators focus on the practices of tech giants. If a regulator really wanted to do something about this, they could but it remains to be seen when or if regulators will turn their attention to the SME market.

As GDPR matures, it will be worth following the development of tracking, processing and storing of personal data.  We are all working to help SMEs put their best foot forward online and the Insites digital audit can quickly and easily identify GDPR issues to help to bring SMEs into compliance.

Thanks for making it to the end! 😅
Learn more about how our platform can help you gain more business