Compliance is not a binary state — you are not simply "compliant" or "non-compliant." There is a spectrum of risk, and most small businesses sit somewhere in the middle: doing some things well, while carrying specific gaps that create legal exposure. These are the five most common risk indicators that come up in informal compliance reviews of small online businesses.
Your privacy policy has not been updated since you set it up
A privacy policy that was accurate in 2020 is almost certainly inaccurate today. In the intervening years, you have probably added new tools — a CRM, a new analytics platform, a customer support system, an affiliate tool, a community platform. Each of these processes your users' personal data. Each of them belongs in your privacy policy under your data processors section. If your policy still references your 2020 tech stack while your actual stack looks completely different, you are misrepresenting your data practices — which is precisely what privacy law prohibits.
Your analytics loads before cookie consent is given
This is the most common technical compliance failure. Google Analytics, Microsoft Clarity, and most other analytics platforms set cookies and collect data the moment their scripts load. If those scripts are in your site's <head> without any consent gate, they are collecting data from users who have not yet been asked for their consent — and in some cases never will be if users leave before interacting with your banner. A correct implementation blocks analytics scripts until affirmative consent is given and only fires them after the user has said yes.
You have no documented process for handling data requests
Data Subject Access Requests (DSARs) must be responded to within one calendar month. If you received a DSAR tomorrow, do you know where to look for all the data you hold about that person? Would you know who in your team is responsible for responding? Do you have a log of when requests arrive so you do not miss the deadline? A missing process is not just a theoretical risk — the ICO receives thousands of complaints every year from individuals who sent a DSAR and received no response.
Your cookie banner has no real reject option
Regulators have made it increasingly clear that a cookie banner with a prominent "Accept all" button and a small, grey "Manage settings" link that requires three more clicks to reject cookies is not compliant. The accept and reject options must be equally accessible. This applies even if your banner otherwise uses technically valid consent collection — dark patterns that make rejection harder than acceptance undermine the consent entirely.
You collect data but do not know how long you keep it
Retention periods are a required element of any GDPR-compliant privacy policy, and "we keep data for as long as necessary" is not an acceptable answer. Regulators expect you to define specific retention periods for each category of data — marketing data, purchase records, account data, support tickets — and then actually delete or anonymise data when those periods expire. Data minimisation and storage limitation are two of GDPR's core principles, and failing to implement them is a compliance gap that regulators take seriously, particularly when combined with other issues.