Website GDPR Checklist for UK Small Businesses
UK GDPR — the domestic version of the EU's General Data Protection Regulation, retained after Brexit — applies to almost every small business website. If your site has a contact form, uses Google Analytics, sends email newsletters or processes payments online, you are handling personal data and have legal obligations.
This checklist covers the most important requirements for a typical small business website. It is not a substitute for professional legal advice if your situation is complex, but for most service and retail websites it covers the key areas you need to address.
Privacy policy and cookie notice
Every website that collects personal data needs a published privacy policy. It must explain what data you collect, why, how long you keep it, who you share it with and how users can exercise their rights under UK GDPR. The policy should be accessible from every page — typically via a footer link — and linked from any form that collects personal information.
If your site uses any cookies beyond those strictly necessary for it to function — and most sites do, via Google Analytics, Facebook Pixel, YouTube embeds or chat widgets — you need a cookie consent mechanism. Visitors must be able to accept or decline non-essential cookies before they are placed, not after. A pre-ticked consent box or continued-browsing consent does not meet the standard. Use a cookie management platform (CookieYes, Cookiebot, or similar) to handle this correctly.
Contact forms and data storage
Your contact form should only ask for information you genuinely need. Name, email and a message are almost always sufficient for an initial enquiry form. Collecting a phone number, company name or postcode is fine if you have a clear reason for it; collecting data you do not use creates unnecessary compliance obligations.
Link to your privacy policy from every form. State briefly how the submitted data will be used — "We'll use your details to respond to your enquiry and will not share them with third parties" is sufficient for most enquiry forms. Check where form submissions are stored: if they land in an email inbox and are never deleted, you are retaining data indefinitely, which you need to justify or address with a retention policy.
If you use a CRM, email platform or booking system, verify that the provider is UK GDPR compliant and review their data processing terms. You are responsible for your suppliers' handling of the data you share with them through data processing agreements.
Email marketing and consent
If you send marketing emails, you need a valid legal basis for each contact. For existing customers, "legitimate interests" may apply. For new contacts, you generally need explicit consent — a clear opt-in at the point of data collection, not a pre-ticked box. Every marketing email must include an unsubscribe link and your business's name and address.
Keep a record of when and how consent was obtained for each marketing contact. If your list was built before GDPR came into force and you cannot evidence consent, consider running a re-consent campaign or removing contacts who have not engaged recently. Sending to an unverified list is a compliance risk and typically produces poor results anyway.
Register with the ICO if you are processing personal data. Annual registration is required for most UK businesses and costs £40-£60 per year for small organisations. You can check whether you need to register and do so at ico.org.uk. Failure to register when required can result in a fixed penalty.
Common questions.
Does Brexit mean UK businesses no longer need to follow GDPR?
Is Google Analytics a GDPR problem?
What is the ICO and should I register with them?
More on web design & ux.
Want a hand putting this into practice?
Book a free, no-obligation consultation with a Norwich-based specialist.
Let's put your business in a better light.
Book a free, no-pressure consultation. We'll talk through your goals and tell you honestly what we'd do — whether you work with us or not.