There's a conversation that should happen at the start of every web project but almost never does.
** Business owners think**: "I'm paying for a website, not a security audit. That's the developer's job."
** Developers think **: "The client didn't ask for security. It's not in the budget. Not my problem."
Both are wrong.And when something goes wrong—a data breach, a compliance fine, an accessibility lawsuit—both pay the price.
This article is for everyone involved in building, buying, or running a website.Because the "mumbo jumbo" of security and compliance isn't optional anymore. It's the difference between a business asset and a ticking time bomb.
Here's how most people think about their website:
The moment your website:
This isn't paranoia. It's reality. And both the business owner and the developer share responsibility for getting it right.
"We're too small to be a target."
Let's look at the data:
43% of cyberattacks target small businesses. Not because they have valuable data—because they have weak security. Attackers know small businesses cut corners.
And the cost?
| Business Size | Average Breach Cost (2024) |
|---|---|
| Under 500 employees | $3.31 million |
| 500-1,000 employees | $3.68 million |
| 1,000-5,000 employees | $4.18 million |
"But that's big companies with big breaches."
No. That's the average. It includes the small accounting firm whose contact form got exploited. The local retailer whose customer database was stolen. The freelancer whose client site became a malware distribution point.
You might think regulations are for big corporations. Here's what actually applies:
The fines are not theoretical:
| Regulation | Maximum Penalty | Applies To |
|---|---|---|
| GDPR | €20M or 4% global revenue | Any business with EU data subjects |
| UK GDPR | £17.5M or 4% global revenue | Any business with UK data subjects |
| CCPA/CPRA | $7,500 per intentional violation | 50K+ California consumers |
| ADA/Accessibility | $75K first violation, $150K subsequent | US businesses (case law expanding) |
| EU Accessibility Act | Varies by country | From June 2025 |
There is no "too small to care" exemption.
"I just build what the client asks for."
Courts disagree. Professional duty of care means you're expected to apply professional standards whether or not the client specifically requests them.
When a website you built:
The question courts ask: "Would a reasonably competent web professional have done this differently?"
If the answer is yes, you have a problem.
The Business Owner's Perspective: Sarah runs an accounting firm. She paid £3,500 for a WordPress website. It looked great. She was happy.
Two years later, her hosting company noticed unusual traffic. Her database had been stolen through an SQL injection vulnerability in an outdated plugin. 3,400 client records—names, emails, phone numbers, and sensitive financial details from the contact form's "describe your needs" field.
What happened next:
The Developer's Perspective: Mark built the site. Delivered it. Got paid. Moved on to the next project. No maintenance contract—Sarah didn't want to pay £50/month for "updates."
When Sarah's lawyers came calling, Mark discovered:
What should have happened:
The Business Owner's Perspective: A marketing agency built Jean-Pierre's e-commerce site. They installed Google Analytics and Meta Pixel for tracking. They added a cookie banner—looked compliant enough.
A customer complained to CNIL (French data protection authority). The audit found:
The result:
The Developer's Perspective: The agency assumed the cookie banner plugin handled compliance. It didn't. They never tested whether cookies actually waited for consent. They copied the implementation from another project without understanding the requirements.
What should have happened:
The Business Owner's Perspective: Marcus launched a beautiful e-commerce site. Custom design, smooth animations, great user experience—for sighted users with a mouse.
A blind customer couldn't complete checkout. Tried three times. Filed a complaint.
The result:
The Developer's Perspective: The developer built what was in the design. The design didn't account for keyboard navigation. Nobody tested with a screen reader. The client never mentioned accessibility, so it wasn't in scope.
What should have happened:
Security and compliance aren't the developer's job OR the client's job. They're a shared responsibility.
You're not expected to be a security expert. But you are expected to ask the right questions and make informed decisions.
Ask your developer these questions:
| Question | Red Flag Answer | Green Flag Answer |
|---|---|---|
| How will you handle security? | "We use a secure host" | Specific measures: HTTPS, headers, updates, backups, WAF |
| Is GDPR compliance included? | "That's just a cookie banner" | Privacy by design, consent management, data minimization |
| What about accessibility? | "That's extra" | WCAG 2.2 AA as standard, testing methodology explained |
| What happens after launch? | "You're on your own" | Maintenance options with clear scope and pricing |
| What if something goes wrong? | Silence / deflection | Insurance coverage, liability terms, incident response |
Don't accept a website without:
Security basics:
Privacy compliance:
Accessibility:
The website quote is not the total cost. Budget for:
| Item | Typical Cost | Why It Matters |
|---|---|---|
| Security audit (if handling sensitive data) | €500-2,000 | Identifies vulnerabilities before attackers do |
| Accessibility audit | €300-1,500 | Confirms compliance, provides evidence |
| Maintenance contract | €100-500/month | Keeps everything updated and secure |
| SSL certificate (if not included) | €0-200/year | Basic encryption, often free now |
| Cookie consent platform | €0-50/month | Proper consent management |
The cheapest website is rarely the cheapest to own. Factor in the cost of things going wrong.
You're the professional. That comes with obligations beyond "build what the client asked for."
These should be in every project, whether the client asks for them or not:
Security (every project):
Privacy (if collecting any personal data):
Accessibility (every project):
Contract language matters. Your contract should include:
Get insurance. Professional Indemnity Insurance typically costs £300-800/year for freelancers. One claim can bankrupt you. This is not optional.
Document everything. When things go wrong:
When a client says "we don't need that," you have three choices:
Option 2 is the minimum. Option 3 is sometimes the right choice. Option 1 is professional negligence.
Still not convinced? Let's talk money.
Cost of doing it right:
Cost of doing it wrong:
The math is simple. Compliance is cheaper than non-compliance.
Security and compliance as competitive advantage:
| Client Interest Level | % of Business Clients |
|---|---|
| Not Important | 5% |
| Nice to Have | 12% |
| Important | 28% |
| Very Important | 35% |
| Essential | 20% |
55% of business clients rate security as "very important" or "essential" in developer selection.
Revenue opportunities:
The developers who understand this stuff win better clients, charge higher rates, and build sustainable businesses.
Today:
This month:
This quarter:
Today:
This month:
This quarter:
The days of "just build a website" are over.
Every website is a data processor, an attack surface, and a legal liability. The regulations are real. The fines are real. The lawsuits are real.
Business owners: You can't outsource responsibility. Understand what you need, demand it from your developers, and budget for it properly.
Developers: You can't hide behind "the client didn't ask for it." Professional duty of care exists. Build it right, document everything, and protect yourself.
Both of you: Have the conversation upfront. Define responsibilities. Put it in writing. Review it regularly.
The "mumbo jumbo" of security and compliance isn't bureaucratic overhead. It's the difference between a website that serves your business and one that destroys it.
Understand it. Demand it. Deliver it.
Found this useful?
Share it with your network
