QUICK ANSWER
A GDPR website compliance checklist should cover: a clear privacy policy, cookie consent banner with reject option, lawful basis for data processing, data breach response plan, subject access request process, data protection impact assessment for high-risk processing, and secure data storage with encryption.
If you run a small business in the UK, GDPR compliance isn't optional. The Information Commissioner's Office (ICO) can issue fines of up to £17.5 million or 4% of annual turnover for serious breaches. But for most small businesses, compliance comes down to a handful of practical steps.
This checklist covers everything your website needs to be GDPR-compliant. Work through each item systematically.
Your privacy policy must explain what personal data you collect, why you collect it, who you share it with, how long you keep it, and what rights individuals have. It must be written in clear, plain language — not buried in legal jargon.
The policy should be linked from every page of your website, typically in the footer. It must cover all data processing activities, including contact forms, newsletter sign-ups, analytics tracking, and third-party services like payment processors.
Under both GDPR and PECR, you must obtain consent before setting non-essential cookies on a visitor's device. This means no analytics cookies, advertising cookies, or tracking pixels until the user has actively consented.
Your consent banner must offer a clear reject option — not just an "accept" button. Pre-ticked boxes do not count as valid consent. The user must take a positive action to opt in. For more detail, see our guide on whether you need a cookie consent banner and the differences between GDPR and PECR.
Every time you process personal data, you need a lawful basis. The six options are: consent, contract, legal obligation, vital interests, public task, and legitimate interests. Most small businesses rely on consent (for marketing), contract (for fulfilling orders), and legitimate interests (for basic business operations).
You must document which lawful basis applies to each processing activity and explain it in your privacy policy. You can't swap between bases after the fact — decide upfront and record it.
Any form that collects personal data — contact forms, newsletter sign-ups, quote requests — needs an unchecked consent checkbox. The text must clearly state what the user is agreeing to. Something like "I agree to receive marketing emails" with a link to your privacy policy.
Never pre-tick these boxes. The user must actively check them. If you collect data for multiple purposes (e.g. processing an order and adding to a mailing list), use separate checkboxes for each purpose.
Individuals have the right to ask you to delete their personal data. You must comply within one month. This means you need a process for locating and removing someone's data from all your systems — your website database, email marketing platform, CRM, and any spreadsheets.
Make sure your website has a clear mechanism for submitting erasure requests, such as a dedicated email address or a form. You can refuse in limited circumstances (e.g. legal obligation to keep records), but you must explain why.
If personal data is accidentally disclosed, lost, or accessed without authorisation, you must report certain breaches to the ICO within 72 hours. You must also notify affected individuals if the breach poses a high risk to their rights and freedoms.
Your response plan should define what constitutes a breach, who is responsible for assessing severity, how to report to the ICO, and how to notify affected individuals. Even small businesses need this — a compromised contact form database counts as a breach.
A DPIA is required when your processing is likely to result in a high risk to individuals. For most small business websites, this applies if you process health data, financial data, or use new technologies like automated decision-making or large-scale profiling.
Even if a formal DPIA isn't required, it's good practice to think through the risks. Document what data you collect, why, what could go wrong, and what safeguards you have in place.
If any third party processes personal data on your behalf — your email marketing provider, hosting company, payment processor, or analytics platform — you need a data processing agreement (DPA) with them. This is a legal requirement under Article 28 of GDPR.
Most major services (Mailchimp, Stripe, Google) provide standard DPAs. But you need to check that each one is in place and that the processor only uses data as you instruct.
Anyone in your business who handles personal data needs to understand GDPR basics. This includes knowing how to recognise a data subject request, how to spot a potential breach, and what constitutes personal data.
Training doesn't need to be formal or expensive. A documented internal policy and a short briefing session is sufficient for most small teams. The key is that people know what to do when something goes wrong.
GDPR requires organisations to maintain a record of their processing activities. For small businesses, this is a simple document listing: what data you collect, why, where it's stored, who has access, how long you keep it, and when it gets deleted.
This record-keeping requirement sounds onerous but in practice it's a single spreadsheet or document. It's also invaluable if the ICO ever investigates your business — it shows you take compliance seriously.
GDPR compliance isn't a one-time task. Your website changes, you add new forms, you switch email providers, you install new tracking scripts. Each change could introduce a compliance gap.
Run a compliance audit at least quarterly. Check that your privacy policy is still accurate, that your cookie consent banner is working, that no new tracking scripts have been added without consent, and that your forms still have proper consent mechanisms.
PulseShield can automate this process. Run a free scan to check your website for cookie compliance issues, missing security headers, and other GDPR-relevant problems.
GDPR requires "appropriate technical and organisational measures" to protect personal data. For a small business website, this means: SSL/TLS encryption (HTTPS) on every page, secure password storage, regular software updates, access controls on admin panels, and encrypted database connections.
If your website stores personal data in a database, make sure it's not publicly accessible. Use strong passwords, enable two-factor authentication on your hosting and CMS accounts, and keep all software patched and up to date.
Remember that UK websites need to comply with both GDPR and PECR. GDPR covers data processing broadly; PECR covers electronic communications specifically, including cookies and email marketing. For a full breakdown, see our guide on the differences between GDPR and PECR.
The ICO website at ico.org.uk is the authoritative source for UK data protection guidance and should be your first port of call for specific questions.
Run a free scan to find cookie consent issues, missing security headers, and tracking scripts loading without consent.
Free Security ScanOngoing monitoring from £29/month — view plans