Compliance8 min read10 April 2026

GDPR Website Compliance Checklist for UK Businesses (2025)

A practical, actionable checklist covering the technical website requirements UK businesses must meet under GDPR — from cookie consent to SSL certificates and data breach readiness.

Is Your Website GDPR Compliant?

The General Data Protection Regulation (GDPR) applies to any website that processes personal data of UK or EU residents. For most UK businesses, that means almost every website — contact forms, analytics, cookies, and email sign-ups all count.

Non-compliance carries fines of up to £17.5 million or 4% of annual global turnover (whichever is higher) under the UK GDPR. More practically, a data breach on a non-compliant site can destroy customer trust overnight.

This checklist covers the technical website requirements. It is not legal advice — consult a solicitor for full compliance guidance.

1. SSL/TLS Certificate (Article 32)

Requirement: All data transmitted between your website and visitors must be encrypted.

  • Your site uses HTTPS on all pages (no mixed content)
  • SSL certificate is valid and not expired
  • TLS 1.2 or 1.3 is used (TLS 1.0 and 1.1 are deprecated)
  • HTTP requests redirect to HTTPS automatically
  • HSTS header is set to enforce HTTPS

Why it matters: Article 32 requires "appropriate technical measures" to protect personal data. Unencrypted transmission is a clear violation.

2. Cookie Consent (Article 6 & ePrivacy Directive)

Requirement: Non-essential cookies require explicit, informed consent before being set.

  • Cookie consent banner is shown on first visit
  • Consent is granular (analytics, marketing, functional separate)
  • Cookies are not set before consent is given
  • Users can withdraw consent as easily as they gave it
  • Consent records are stored with timestamp and version

Common mistake: Pre-ticked boxes or "by continuing to use this site" banners do not constitute valid consent under UK GDPR.

3. Privacy Policy (Article 13 & 14)

Requirement: You must inform users what data you collect, why, how long you keep it, and their rights.

  • Privacy policy is accessible from every page (typically in the footer)
  • Policy covers: data controller identity, data types collected, legal basis, retention periods, third-party sharing, user rights
  • Policy is written in plain English (not legalese)
  • Policy is dated and version-controlled
  • Contact details for data subject requests are provided

4. Contact Forms & Data Collection (Article 5)

Requirement: Only collect data that is necessary for the stated purpose (data minimisation).

  • Contact forms only ask for fields that are genuinely needed
  • Form submissions are transmitted over HTTPS
  • Form data is not stored longer than necessary
  • CAPTCHA or similar spam protection is in place
  • Confirmation email does not include the full message content if unnecessary

5. Analytics & Third-Party Scripts (Article 28)

Requirement: Third-party processors (Google Analytics, HubSpot, etc.) must be covered by a Data Processing Agreement (DPA).

  • DPAs are in place with all analytics and marketing tool providers
  • Analytics are configured to anonymise IP addresses
  • Google Analytics 4 is used (Universal Analytics is retired)
  • Third-party scripts are only loaded after consent where required
  • Subprocessors are listed in your privacy policy

6. Security Headers (Article 32)

Requirement: Technical measures must prevent unauthorised access and data breaches.

  • Content-Security-Policy header is set
  • X-Content-Type-Options: nosniff is set
  • X-Frame-Options or CSP frame-ancestors is set
  • Referrer-Policy is set to limit data leakage
  • Permissions-Policy restricts unnecessary browser features

7. Data Breach Readiness (Article 33)

Requirement: You must report certain breaches to the ICO within 72 hours.

  • You have a documented incident response plan
  • You know how to contact the ICO (ico.org.uk)
  • Server access logs are retained for a reasonable period
  • Admin accounts use strong passwords and MFA
  • Software and plugins are kept up to date

Check Your Technical Compliance Now

WebGuard's free scan checks many of the technical requirements above — SSL, security headers, cookie flags, and more — and gives you a compliance score against GDPR, OWASP, and PCI-DSS frameworks.

Run a free scan [blocked] and see exactly where your site stands.

Share this article
Share on XShare on LinkedIn

Check Your Website Now

Free scan, no account required. See exactly which issues affect your site.

Start Free Scan

Related Articles

Compliance

GDPR & Website Security: What UK Businesses Need to Know

Under UK GDPR, 'appropriate technical measures' to protect personal data is not optional — it's a legal requirement. Here's what that means for your website in plain English.

Read article
Compliance

UK Cyber Essentials: What Your Website Needs to Pass

Cyber Essentials is the UK government-backed certification that demonstrates your organisation takes basic cyber security seriously. Here's exactly what your website needs to achieve it.

Read article
SEO & Trust

Why Your Website's Security Score Matters for SEO and Trust

Google uses HTTPS and security signals as ranking factors. A poor security posture doesn't just put your visitors at risk — it actively hurts your search rankings and conversion rates.

Read article