Guide

Website GDPR Checklist for UK Small Businesses

UK GDPR — the domestic version of the EU's General Data Protection Regulation, retained after Brexit — applies to almost every small business website. If your site has a contact form, uses Google Analytics, sends email newsletters or processes payments online, you are handling personal data and have legal obligations.

This checklist covers the most important requirements for a typical small business website. It is not a substitute for professional legal advice if your situation is complex, but for most service and retail websites it covers the key areas you need to address.

Privacy policy and cookie notice

Every website that collects personal data needs a published privacy policy. It must explain what data you collect, why, how long you keep it, who you share it with and how users can exercise their rights under UK GDPR. The policy should be accessible from every page — typically via a footer link — and linked from any form that collects personal information.

If your site uses any cookies beyond those strictly necessary for it to function — and most sites do, via Google Analytics, Facebook Pixel, YouTube embeds or chat widgets — you need a cookie consent mechanism. Visitors must be able to accept or decline non-essential cookies before they are placed, not after. A pre-ticked consent box or continued-browsing consent does not meet the standard. Use a cookie management platform (CookieYes, Cookiebot, or similar) to handle this correctly.

Contact forms and data storage

Your contact form should only ask for information you genuinely need. Name, email and a message are almost always sufficient for an initial enquiry form. Collecting a phone number, company name or postcode is fine if you have a clear reason for it; collecting data you do not use creates unnecessary compliance obligations.

Link to your privacy policy from every form. State briefly how the submitted data will be used — "We'll use your details to respond to your enquiry and will not share them with third parties" is sufficient for most enquiry forms. Check where form submissions are stored: if they land in an email inbox and are never deleted, you are retaining data indefinitely, which you need to justify or address with a retention policy.

If you use a CRM, email platform or booking system, verify that the provider is UK GDPR compliant and review their data processing terms. You are responsible for your suppliers' handling of the data you share with them through data processing agreements.

Email marketing and consent

If you send marketing emails, you need a valid legal basis for each contact. For existing customers, "legitimate interests" may apply. For new contacts, you generally need explicit consent — a clear opt-in at the point of data collection, not a pre-ticked box. Every marketing email must include an unsubscribe link and your business's name and address.

Keep a record of when and how consent was obtained for each marketing contact. If your list was built before GDPR came into force and you cannot evidence consent, consider running a re-consent campaign or removing contacts who have not engaged recently. Sending to an unverified list is a compliance risk and typically produces poor results anyway.

Register with the ICO if you are processing personal data. Annual registration is required for most UK businesses and costs £40-£60 per year for small organisations. You can check whether you need to register and do so at ico.org.uk. Failure to register when required can result in a fixed penalty.

FAQs

Common questions.

Does Brexit mean UK businesses no longer need to follow GDPR?
No. The UK retained GDPR into domestic law as UK GDPR via the Data Protection Act 2018. The requirements are substantially the same as EU GDPR. If you have customers in EU countries, you may also need to comply with EU GDPR separately, though for most small UK businesses serving UK customers, UK GDPR is the primary obligation.
Is Google Analytics a GDPR problem?
Google Analytics collects IP addresses and sets cookies, both of which constitute personal data processing under GDPR. You need to disclose its use in your cookie policy, obtain consent before placing analytics cookies, and reference Google as a data processor in your privacy policy. Google Analytics 4 has improved privacy controls, but does not remove the consent requirement for cookies.
What is the ICO and should I register with them?
The Information Commissioner's Office is the UK's independent data protection regulator. Most businesses that process personal data are required to register annually as a "data controller" and pay a fee of £40-£60 (for small organisations). Check your obligation at ico.org.uk/registration. The ICO also provides free guidance, templates and a helpline for small businesses.
Related guides

More on web design & ux.

Want a hand putting this into practice?

Book a free, no-obligation consultation with a Norwich-based specialist.

Book a free consultation
Get started

Let's put your business in a better light.

Book a free, no-pressure consultation. We'll talk through your goals and tell you honestly what we'd do — whether you work with us or not.

  1. 01
    Tell us a bitFill in the form — two minutes, tops.
  2. 02
    We'll call you backWithin one working day, no pressure.
  3. 03
    Get a clear planHonest advice and a fixed quote.

Free · No obligation · We reply within one working day

Book a free consultation