How to Handle GDPR Compliance on Your Business Website

The UK General Data Protection Regulation (UK GDPR), retained in UK law after Brexit through the Data Protection Act 2018, applies to every organisation that processes personal data of individuals in the United Kingdom. For businesses that operate a website — which in 2025 means virtually every business — this regulation has direct and specific implications for how you collect, store, and use data gathered through your online presence.

Despite the UK GDPR being in force since 2018, a staggering number of UK business websites remain non-compliant. Common violations include collecting personal data without proper consent, using analytics and tracking tools without appropriate cookie consent mechanisms, publishing inadequate or missing privacy policies, failing to secure data transmitted through contact forms, and retaining data far longer than necessary. The Information Commissioner's Office (ICO) has the power to issue fines of up to £17.5 million or 4% of global turnover — whichever is higher — for serious violations.

This guide covers the key areas of GDPR compliance that apply specifically to business websites, with practical steps you can implement to bring your site into compliance.

Cookie Consent: Getting It Right

Cookies are small data files stored on a visitor browser that track behaviour, remember preferences, and enable analytics. Under the Privacy and Electronic Communications Regulations (PECR) — which work alongside the UK GDPR — you must obtain informed consent before placing any non-essential cookies on a visitor device. The only cookies exempt from this requirement are those "strictly necessary" for the functioning of the website — such as session cookies that keep a user logged in or remember the contents of a shopping basket.

What Constitutes Valid Consent?

The ICO has been clear about what constitutes valid cookie consent. It must be freely given — the user must have a genuine choice, and you cannot make website access conditional on accepting cookies. It must be informed — the user must understand what cookies you are setting and what they do. It must be specific — consent for analytics cookies is not consent for advertising cookies. It must involve a positive action — pre-ticked checkboxes do not constitute consent. And it must be as easy to withdraw as it was to give.

The True Cost of Non-Compliance

Understanding the financial and reputational risks of GDPR non-compliance is essential for prioritising your compliance efforts and securing budget approval from senior leadership. The ICO has become increasingly active in enforcement since 2020, and the penalties for UK business websites that fail to meet their obligations can be substantial. Beyond the headline maximum fines, organisations face a range of consequences that many business owners underestimate.

The chart above illustrates the most common GDPR compliance failures found on UK business websites, based on audits conducted across small and medium-sized enterprises. The prevalence of these issues demonstrates that most UK websites have significant work to do. Each of these failures represents a potential enforcement action, a data breach waiting to happen, or a loss of customer trust that can directly impact revenue and business growth.

The ICO issued over £42 million in fines during the 2023-2024 reporting period, and the trend is accelerating. Critically, the ICO does not only pursue large enterprises. Small and medium-sized businesses have received enforcement notices, reprimands, and financial penalties for website-related GDPR violations. In several notable cases, the ICO took action against businesses with fewer than 50 employees that had failed to implement basic website compliance measures such as cookie consent mechanisms and adequate privacy policies.

Beyond direct financial penalties, non-compliance creates significant indirect costs. Customer complaints to the ICO can trigger formal investigations that consume substantial management time and legal resources. Negative publicity from an ICO enforcement action can damage your brand for years. Business partners and enterprise clients increasingly require GDPR compliance evidence as part of their supplier due diligence process, and a compliance failure can disqualify your organisation from lucrative contracts and tenders.

Privacy Policy Requirements

Every UK business website must have a clear, accessible privacy policy that explains how you handle personal data. The UK GDPR specifies the information that must be included, and the ICO provides detailed guidance on what a compliant privacy policy looks like.

Essential Content

Your privacy policy must include: your organisation identity and contact details; the contact details of your Data Protection Officer (if you have one); the types of personal data you collect; the purposes for which you process personal data and the legal basis for each purpose; who you share data with (including any third-party processors); whether you transfer data outside the UK and, if so, the safeguards in place; how long you retain data; the individual rights of data subjects (access, rectification, erasure, restriction, portability, objection); the right to complain to the ICO; and whether you use automated decision-making or profiling.

Contact Forms and Data Collection

Contact forms are the most common data collection mechanism on UK business websites, and they frequently fall short of GDPR requirements. When a visitor submits a contact form, they are providing you with personal data — at minimum, their name and email address. This triggers your obligations under the UK GDPR.

Secure transmission. All contact form data must be transmitted over HTTPS (SSL/TLS encrypted). An unencrypted contact form that transmits personal data in plain text is a clear GDPR violation. Ensure your entire website uses HTTPS, not just the pages with forms.

Informed consent. Next to your contact form, include a clear statement explaining what you will do with the submitted data, link to your privacy policy, and if you intend to add the person to a marketing list, include a separate, unticked checkbox for marketing consent. Never pre-tick marketing consent boxes — this is explicitly non-compliant.

Data minimisation. Only collect the data you actually need. If your contact form asks for a date of birth, job title, company size, and postal address when all you need is a name and email to respond to an enquiry, you are collecting excessive data — a violation of the data minimisation principle.

Secure storage. Where does the form data go after submission? If it goes to a shared email inbox, ensure the inbox is properly secured. If it goes to a database, ensure the database is encrypted and access-controlled. Consider how long you retain contact form submissions and implement automatic deletion after an appropriate period.

Data Subject Rights and Your Website

One of the most important — and frequently neglected — aspects of GDPR compliance for business websites is facilitating the exercise of data subject rights. Under the UK GDPR, every individual whose personal data you process has a comprehensive set of rights, and your website must make it straightforward for them to exercise those rights. Failure to respond to a valid data subject request within the legally mandated timeframe is itself a GDPR violation that can result in ICO enforcement action.

The Right of Access (Subject Access Requests)

Any individual can request a copy of all personal data you hold about them. This is known as a Subject Access Request (SAR), and you must respond within one calendar month. For website operators, this means you must be able to identify and retrieve all data associated with a given individual across every system your website feeds into — your CRM, email marketing platform, analytics tools, customer databases, helpdesk systems, and any other platform that receives data from your website.

Create a clear, accessible page on your website that explains how individuals can submit a subject access request. Include a dedicated email address or contact form for data protection enquiries, and ensure that whoever monitors that channel understands the legal requirements and timeframes. Many UK businesses make the mistake of routing data protection requests through general customer service queues, where they can be delayed, misunderstood, or lost among routine enquiries.

The Right to Erasure (Right to Be Forgotten)

Individuals can request that you delete all personal data you hold about them, subject to certain exceptions (such as data you are legally required to retain for tax or regulatory purposes). For website operators, this means you must have the ability to locate and delete an individual record across all connected systems. If someone submitted a contact form two years ago and their details were added to your CRM, marketing list, and analytics segments, a valid erasure request requires you to remove their data from all of those locations — not just one.

Implement a documented erasure process that covers every data store connected to your website. This should include step-by-step instructions for your team, a checklist of all systems that need to be purged, and a verification procedure to confirm that deletion is complete. The ICO has noted that many organisations fail to fully comply with erasure requests because they forget about backup systems, archived data, or third-party platforms that received a copy of the data through automated integrations.

The Right to Rectification and Data Portability

Individuals also have the right to have inaccurate data corrected (rectification) and the right to receive their data in a commonly used, machine-readable format (portability). While these rights are exercised less frequently than access and erasure requests, your website should still facilitate them. If you maintain customer accounts or profiles on your website, provide self-service options for users to update their own information. For data portability requests, ensure you can export individual data in a standard format such as CSV or JSON within the one-month timeframe.

Analytics and Tracking

Google Analytics is installed on the vast majority of UK business websites, yet many installations are not GDPR-compliant. Under current ICO guidance, Google Analytics cookies require explicit consent before they are set — meaning the analytics tracking code should not fire until the user has actively opted in through your cookie consent mechanism.

If you use Google Analytics 4 (GA4), ensure that IP anonymisation is enabled (it is by default in GA4), that data retention is set to an appropriate period, that you have a data processing agreement with Google, and that you have configured GA4 to respect your cookie consent mechanism — only tracking users who have actively opted in.

Consider privacy-focused alternatives to Google Analytics that do not require cookie consent because they do not use cookies or process personal data. Platforms such as Plausible Analytics, Fathom, and Simple Analytics provide useful website statistics whilst being fully GDPR-compliant by design. These are particularly attractive for UK businesses that want analytics insights without the compliance overhead of Google Analytics.

International Data Transfers and Website Compliance

Many UK business websites inadvertently transfer personal data outside the United Kingdom through the third-party tools and services they use. Every time your website loads a script from a US-based analytics provider, sends form data to a CRM hosted in the United States, or embeds a video from a platform with servers located outside the UK, you may be initiating an international data transfer that requires specific legal safeguards under UK GDPR.

Common Sources of International Transfers on Websites

Audit your website for the following common sources of international data transfers. Google Analytics, Google Fonts, Google reCAPTCHA, and other Google services transfer data to servers in the United States. Facebook Pixel, Instagram embeds, and Meta advertising tools transfer data to Meta servers internationally. Mailchimp, HubSpot, Salesforce, and similar marketing and CRM platforms frequently process data outside the UK. Content delivery networks, video hosting platforms such as YouTube and Vimeo, and live chat widgets may all involve transfers to jurisdictions that do not have an adequacy decision from the UK government.

For each international transfer you identify, you must ensure that one of the following legal mechanisms is in place. An adequacy decision means the UK government has determined that the destination country provides an adequate level of data protection — the EU and EEA countries, amongst others, currently have adequacy status. Standard Contractual Clauses (SCCs) or the International Data Transfer Agreement (IDTA) are legal agreements between you and the data processor that contractually guarantee adequate protection. Binding Corporate Rules apply to transfers within multinational corporate groups. Without one of these mechanisms in place, the international transfer is unlawful under UK GDPR.

Practical Steps for Managing International Transfers

Conduct a Transfer Impact Assessment (TIA) for each international data transfer associated with your website. Document the nature of the data being transferred, the destination country, the legal mechanism relied upon, and any supplementary measures you have implemented to protect the data. Review these assessments annually and update them whenever you change a third-party tool or service provider.

Where possible, choose UK-based or EU-based alternatives to tools that transfer data to jurisdictions without adequate protection. This approach — sometimes called data localisation — simplifies your compliance obligations significantly and reduces the risk of enforcement action. For essential tools where no UK-based alternative exists, ensure your Standard Contractual Clauses or IDTA are up to date and that you have conducted a thorough risk assessment of the specific transfer.

GDPR Compliance for E-commerce Websites

E-commerce websites face additional GDPR compliance challenges due to the volume and sensitivity of personal data they process. Online shops collect names, postal addresses, email addresses, phone numbers, and payment card details as part of every transaction, and they frequently retain this data for extended periods to support order history, returns processing, and marketing activities.

Payment Data and PCI DSS

While payment card data is primarily regulated by the Payment Card Industry Data Security Standard (PCI DSS), it also constitutes personal data under UK GDPR. If your e-commerce website processes payments, ensure that you use a PCI DSS-compliant payment gateway that handles card data directly, minimising the amount of payment information that touches your own systems. Never store full card numbers, CVV codes, or other authentication data on your own servers — even in encrypted form — unless you are fully PCI DSS certified. Most UK e-commerce businesses should use hosted payment pages or tokenisation to ensure that sensitive payment data never enters their environment.

Customer Accounts and Order History

E-commerce websites that offer customer accounts must clearly explain what data is stored in those accounts, provide customers with the ability to download their order history and personal information (supporting the right to data portability), offer a straightforward account deletion mechanism that removes all personal data except that which you are legally required to retain (such as transaction records needed for tax compliance), and ensure that account passwords are stored using strong, modern hashing algorithms — never in plain text.

Guest checkout options should be available for customers who do not wish to create an account. Forcing account creation to complete a purchase is not inherently a GDPR violation, but it does increase your data protection obligations and may deter privacy-conscious customers. Providing a guest checkout option with minimal data collection demonstrates respect for the data minimisation principle and can actually improve conversion rates.

Marketing and Remarketing Compliance

E-commerce businesses heavily rely on email marketing and remarketing advertising to drive repeat purchases. Under UK GDPR and PECR, marketing emails require explicit, freely given consent obtained through a clear opt-in mechanism. A checkbox during checkout that says "Tick here to receive marketing emails" is acceptable — provided it is not pre-ticked. However, a statement in your terms and conditions that customers agree to receive marketing by completing a purchase is not valid consent.

Remarketing pixels and advertising cookies (such as the Meta Pixel, Google Ads conversion tracking, and similar tools) require explicit cookie consent before they are activated. These tools track visitor behaviour across your website and share that data with advertising platforms, which constitutes both the use of non-essential cookies and the sharing of personal data with third parties. Both activities require informed, specific consent under UK law. Implement your cookie consent mechanism to ensure that no advertising or remarketing scripts load until the visitor has actively opted in.

Practical Steps to Achieve Compliance

Bringing your website into GDPR compliance need not be overwhelming. Here is a practical, prioritised approach.

Building a GDPR Compliance Culture

Technical compliance measures on your website are essential, but they must be supported by a broader organisational culture that values data protection. GDPR compliance is not solely the responsibility of your web developer or IT team — it requires awareness and commitment from everyone in your organisation who touches customer data or makes decisions about website functionality.

Staff Training and Awareness

Every member of staff who interacts with personal data collected through your website should receive regular GDPR awareness training. This includes customer service teams who access CRM data, marketing teams who manage email campaigns and analytics, sales teams who follow up on website enquiries, and management who make decisions about data usage and third-party tools. The training should cover the basic principles of UK GDPR, the specific data protection obligations relevant to their role, how to recognise and escalate a data subject request, what constitutes a personal data breach and how to report one internally, and the consequences of non-compliance for both the organisation and individuals.

Schedule training sessions at least annually, and provide refresher briefings whenever significant changes occur — such as the adoption of a new CRM system, changes to your cookie consent implementation, or updates to ICO guidance. Keep records of all training activities, as these demonstrate to the ICO that your organisation takes its data protection obligations seriously and can support your position in the event of an investigation.

Regular Compliance Audits

Conduct a thorough GDPR compliance audit of your website at least once per year, and after any significant website redesign or platform migration. A comprehensive audit should assess every data collection point on your website (forms, analytics, cookies, user accounts), verify that your privacy policy accurately reflects your current data processing activities, test your cookie consent mechanism to ensure no non-essential cookies are set before consent is given, check that all data transmission is encrypted using current TLS protocols, review your third-party data processors and ensure data processing agreements are current, verify that your data subject request process works correctly from submission through to fulfilment, and confirm that data retention schedules are being followed and expired data is being deleted.

Document the findings of each audit and create an action plan for addressing any deficiencies identified. This documentation serves as evidence of your ongoing compliance efforts and demonstrates the accountability principle — one of the core requirements of UK GDPR that many organisations overlook. The ICO has specifically cited the absence of regular compliance reviews as an aggravating factor in several enforcement actions, making this a straightforward but highly impactful compliance activity.

Common GDPR Pitfalls on UK Websites

Dark patterns in cookie consent. Making the "Accept All" button large and colourful whilst hiding the "Reject" option behind multiple clicks is a dark pattern. The ICO has specifically warned against this practice. Make rejecting cookies as easy as accepting them.

Outdated privacy policies. A privacy policy written in 2018 and never updated is likely to be inaccurate. Review your privacy policy at least annually, and update it whenever you change your data processing activities, add new third-party tools, or change your data retention practices.

Ignoring subject access requests. Your website should make it easy for individuals to exercise their rights — particularly the right to access their data and the right to have it deleted. Include clear contact details for data protection queries and ensure you have a process for handling these requests within the legally required one-month timeframe.

Assuming your web developer handled it. GDPR compliance is ultimately the responsibility of the data controller — your business, not your web developer. Whilst a good web developer will implement technical compliance measures, the legal responsibility for ensuring compliance rests with you.