The UK General Data Protection Regulation (UK GDPR), retained in UK law after Brexit through the Data Protection Act 2018, applies to every organisation that processes personal data of individuals in the United Kingdom. For businesses that operate a website — which in 2025 means virtually every business — this regulation has direct and specific implications for how you collect, store, and use data gathered through your online presence.
Despite the UK GDPR being in force since 2018, a staggering number of UK business websites remain non-compliant. Common violations include collecting personal data without proper consent, using analytics and tracking tools without appropriate cookie consent mechanisms, publishing inadequate or missing privacy policies, failing to secure data transmitted through contact forms, and retaining data far longer than necessary. The Information Commissioner's Office (ICO) has the power to issue fines of up to £17.5 million or 4% of global turnover — whichever is higher — for serious violations.
This guide covers the key areas of GDPR compliance that apply specifically to business websites, with practical steps you can implement to bring your site into compliance.
Cookie Consent: Getting It Right
Cookies are small data files stored on a visitor's browser that track behaviour, remember preferences, and enable analytics. Under the Privacy and Electronic Communications Regulations (PECR) — which work alongside the UK GDPR — you must obtain informed consent before placing any non-essential cookies on a visitor's device. The only cookies exempt from this requirement are those "strictly necessary" for the functioning of the website — such as session cookies that keep a user logged in or remember the contents of a shopping basket.
What Constitutes Valid Consent?
The ICO has been clear about what constitutes valid cookie consent. It must be freely given — the user must have a genuine choice, and you cannot make website access conditional on accepting cookies. It must be informed — the user must understand what cookies you are setting and what they do. It must be specific — consent for analytics cookies is not consent for advertising cookies. It must involve a positive action — pre-ticked checkboxes do not constitute consent. And it must be as easy to withdraw as it was to give.
Compliant Cookie Consent
- Clear explanation of cookie categories
- Separate opt-in for each category
- No pre-ticked boxes
- Easy to reject all non-essential cookies
- "Reject all" button equally prominent
- No cookie wall blocking site access
- Easy to change preferences later
Non-Compliant Cookie Consent
- Banner says "By continuing you accept cookies"
- Only an "Accept" button, no reject option
- Pre-ticked consent boxes
- Cookies set before consent is given
- "Reject" option hidden in settings
- Site unusable without accepting cookies
- No way to withdraw consent
Privacy Policy Requirements
Every UK business website must have a clear, accessible privacy policy that explains how you handle personal data. The UK GDPR specifies the information that must be included, and the ICO provides detailed guidance on what a compliant privacy policy looks like.
Essential Content
Your privacy policy must include: your organisation's identity and contact details; the contact details of your Data Protection Officer (if you have one); the types of personal data you collect; the purposes for which you process personal data and the legal basis for each purpose; who you share data with (including any third-party processors); whether you transfer data outside the UK and, if so, the safeguards in place; how long you retain data; the individual rights of data subjects (access, rectification, erasure, restriction, portability, objection); the right to complain to the ICO; and whether you use automated decision-making or profiling.
| Data Collection Point | Typical Data Collected | Legal Basis | Retention Period |
|---|---|---|---|
| Contact Form | Name, email, phone, message | Legitimate interest / Consent | 12 months or until enquiry resolved |
| Newsletter Signup | Name, email address | Consent (explicit opt-in required) | Until consent withdrawn |
| Analytics (Google) | IP address, browsing behaviour | Consent (via cookie banner) | 26 months (Google default) |
| E-commerce | Name, address, payment details | Contract performance | 6 years (tax/accounting obligation) |
| Job Applications | CV, personal details, references | Consent / Legitimate interest | 6 months post-recruitment |
Contact Forms and Data Collection
Contact forms are the most common data collection mechanism on UK business websites, and they frequently fall short of GDPR requirements. When a visitor submits a contact form, they are providing you with personal data — at minimum, their name and email address. This triggers your obligations under the UK GDPR.
Secure transmission. All contact form data must be transmitted over HTTPS (SSL/TLS encrypted). An unencrypted contact form that transmits personal data in plain text is a clear GDPR violation. Ensure your entire website uses HTTPS, not just the pages with forms.
Informed consent. Next to your contact form, include a clear statement explaining what you will do with the submitted data, link to your privacy policy, and if you intend to add the person to a marketing list, include a separate, unticked checkbox for marketing consent. Never pre-tick marketing consent boxes — this is explicitly non-compliant.
Data minimisation. Only collect the data you actually need. If your contact form asks for a date of birth, job title, company size, and postal address when all you need is a name and email to respond to an enquiry, you are collecting excessive data — a violation of the data minimisation principle.
Secure storage. Where does the form data go after submission? If it goes to a shared email inbox, ensure the inbox is properly secured. If it goes to a database, ensure the database is encrypted and access-controlled. Consider how long you retain contact form submissions and implement automatic deletion after an appropriate period.
If you use third-party form builders (Typeform, JotForm, Google Forms, etc.) to collect data through your website, remember that the third party is acting as a data processor on your behalf. You need a data processing agreement with them, and you need to verify that they store data in accordance with UK GDPR requirements. Check where they store data — if it is outside the UK, ensure adequate safeguards are in place. Your privacy policy should identify these third parties.
Analytics and Tracking
Google Analytics is installed on the vast majority of UK business websites, yet many installations are not GDPR-compliant. Under current ICO guidance, Google Analytics cookies require explicit consent before they are set — meaning the analytics tracking code should not fire until the user has actively opted in through your cookie consent mechanism.
If you use Google Analytics 4 (GA4), ensure that IP anonymisation is enabled (it is by default in GA4), that data retention is set to an appropriate period, that you have a data processing agreement with Google, and that you have configured GA4 to respect your cookie consent mechanism — only tracking users who have actively opted in.
Consider privacy-focused alternatives to Google Analytics that do not require cookie consent because they do not use cookies or process personal data. Platforms such as Plausible Analytics, Fathom, and Simple Analytics provide useful website statistics whilst being fully GDPR-compliant by design. These are particularly attractive for UK businesses that want analytics insights without the compliance overhead of Google Analytics.
Practical Steps to Achieve Compliance
Bringing your website into GDPR compliance need not be overwhelming. Here is a practical, prioritised approach.
Common GDPR Pitfalls on UK Websites
Dark patterns in cookie consent. Making the "Accept All" button large and colourful whilst hiding the "Reject" option behind multiple clicks is a dark pattern. The ICO has specifically warned against this practice. Make rejecting cookies as easy as accepting them.
Outdated privacy policies. A privacy policy written in 2018 and never updated is likely to be inaccurate. Review your privacy policy at least annually, and update it whenever you change your data processing activities, add new third-party tools, or change your data retention practices.
Ignoring subject access requests. Your website should make it easy for individuals to exercise their rights — particularly the right to access their data and the right to have it deleted. Include clear contact details for data protection queries and ensure you have a process for handling these requests within the legally required one-month timeframe.
Assuming your web developer handled it. GDPR compliance is ultimately the responsibility of the data controller — your business, not your web developer. Whilst a good web developer will implement technical compliance measures, the legal responsibility for ensuring compliance rests with you.
Is Your Website GDPR Compliant?
Cloudswitched builds GDPR-compliant websites for UK businesses, handling cookie consent implementation, privacy policy development, secure form configuration, and analytics setup. If you are unsure whether your current website meets UK GDPR requirements, get in touch for a compliance review.
GET IN TOUCH
CloudSwitched
Centrally located in London, Shoreditch, we offer a range of IT services and solutions to small/medium sized companies.