GDPR Website Compliance Checklist UK
Last updated: Tue Jun 16 2026
UK businesses must handle personal data lawfully under UK GDPR and the Data Protection Act 2018. Your website is often the first place you collect names, emails, analytics data and cookie preferences. This checklist helps SMEs build a compliant foundation, whether you run a brochure site or an online shop.
1. Legal documentation
- Publish a clear privacy policy explaining what data you collect and why
- State your lawful basis for processing (consent, contract, legitimate interest)
- Include contact details for data protection queries
- Link to your cookie policy from the site footer
2. Cookie and tracking consent
- Show a consent banner before non-essential cookies are set
- Offer accept, reject and granular preference options
- Do not load analytics or advertising scripts until consent is given
- Record consent choices where your platform supports it
3. Forms and data collection
- Collect only the data you actually need for each form
- Use HTTPS on all form submission endpoints
- Explain how long you retain enquiries and how users can request deletion
- Never store card details yourself: use PCI-compliant payment providers
4. Third-party processors
- List subprocessors in your privacy policy (hosting, email, CRM, analytics)
- Confirm international transfers have appropriate safeguards if data leaves the UK
- Review plugin and SaaS terms when you add new integrations
5. Security measures
GDPR requires appropriate technical measures. Read our blog on website security for password, 2FA and update practices. At minimum:
- Strong unique passwords and 2FA on admin accounts
- Regular software and plugin updates
- Encrypted backups stored off-site
6. eCommerce-specific checks
Online retailers have extra obligations. See our GDPR eCommerce guide for checkout, marketing and retention rules.
When to get professional help
Compliance requirements vary by sector and data volume. We build GDPR-aware sites with secure hosting, consent tooling and hardened admin panels. Explore our security services or eCommerce development if you need implementation support.
Related resources
Frequently Asked Questions
Does UK GDPR apply to small business websites?
Yes, if you process personal data about identifiable individuals. That includes contact forms, accounts, newsletters and analytics.
Can I use Google Analytics without consent?
Non-essential analytics cookies require informed consent before they are set. Configure your banner and tag manager accordingly.
Is this checklist legal advice?
No. It is a practical web development checklist. Seek legal counsel for sector-specific obligations such as health or financial services.