UK GDPR Compliance Checklist for Websites 2025 — ICO, Cookies, PECR | Hamrix

The ICO issued £7.5 million in fines in 2023–2024 alone. The most common violations were not complex technical failures — they were missing cookie consent mechanisms, inadequate privacy policies, and unlawful marketing emails. This checklist fixes all of that in plain English.

We are not lawyers and this is not legal advice. This is a practical operational checklist based on ICO enforcement cases and published guidance. Always consult a solicitor for advice specific to your situation.

Section 1 — Map Your Data Before You Can Comply

You cannot comply with GDPR for data you don't know you're collecting. This is the step almost every SME skips — and it's where enforcement starts.

You have listed every point where your website collects personal data: contact forms, newsletter signups, quote requests, live chat, checkout flows, analytics, comment sections
You have identified every third-party tool that collects or processes data on your behalf: Google Analytics, Facebook Pixel, HubSpot, Intercom, Stripe, Mailchimp, Hotjar, Calendly
You know where each piece of data is stored and whether it leaves the UK or EU — this matters post-Brexit
You have a named Data Controller — for SMEs this is usually the founder or MD
You have documented your lawful basis for processing each data type: Consent, Legitimate Interest, Contract, or Legal Obligation
You have checked whether you need to register with the ICO — most UK businesses that process personal data must register (£40–£60/year). Check at ico.org.uk/registration
Ensure your hosting and maintenance are secure. Hamrix Maintenance & Support includes security hardening.

Section 2 — Privacy Policy

ICO Enforcement Priority: A privacy policy that is copy-pasted boilerplate, out of date, or does not match your actual data practices is treated the same as having no privacy policy. It must be accurate and current.

Privacy Policy page exists and is linked in the footer of every page — not just the contact page
Written in plain English — not copied from a US template (US privacy law is different from UK GDPR)
States all of the following clearly: what personal data you collect, why you collect it, your lawful basis for processing it, how long you retain it, who you share it with, and how users can exercise their rights
Names every third-party tool that processes user data on your behalf — Google, Meta, your email platform, your CRM, your payment processor
Includes your ICO registration number if you are registered
Includes a dedicated data requests contact: e.g. privacy@yourdomain.co.uk
Last Updated date is visible — ICO guidance requires this. Update it every time your data practices change.
If you have users under 13: specific section on children's data compliant with COPPA and UK GDPR children's code

Section 3 — Cookie Consent

ICO Active Enforcement (2024): The ICO has specifically flagged "Reject All" buttons that are harder to find than "Accept All" as an enforcement priority. Equal prominence is required by law.

Cookie consent banner appears on first visit before any non-essential cookies are set — verify this with browser developer tools in an incognito window
"Reject All" or "Manage Preferences" option is as prominent and easy to click as "Accept All"
Cookies are categorised: Necessary, Analytics, Marketing, Preferences — users can accept or reject each category independently
Consent is recorded server-side — you must be able to demonstrate a specific user consented on a specific date if audited
Users can change their consent at any time via a persistent link in the footer ("Cookie Settings" or "Manage Cookies")
No cookies except strictly necessary ones fire before consent is given — test Google Analytics, Facebook Pixel, Hotjar specifically
Cookie Policy explains each cookie by name, its purpose, its provider, and its expiry duration

Recommended Tools: Cookiebot, CookieYes, or Osano — all have UK/EU-compliant free tiers for small sites.

Section 4 — Data Subject Rights

UK GDPR grants individuals eight rights. Your website must facilitate all of them. You must respond within 30 calendar days.

Right to Access (Subject Access Request) — user can request a copy of all data you hold on them. You must provide it free of charge within 30 days.
Right to Erasure ("Right to be Forgotten") — user can request deletion of their personal data. You must comply unless a legal obligation requires retention.
Right to Rectification — user can correct inaccurate data you hold
Right to Restrict Processing — user can ask you to stop using their data without deleting it
Right to Data Portability — user can request their data in a machine-readable format (CSV, JSON)
Right to Object — particularly important if you rely on Legitimate Interest as your lawful basis
A clear, accessible way to submit these requests exists on your website — a dedicated form or clearly labelled email address
You have an internal process for actioning requests within 30 days — and someone is responsible for it

Section 5 — Email Marketing & PECR Compliance

PECR (Privacy and Electronic Communications Regulations) applies to all marketing emails sent to UK users — on top of GDPR. Violations can result in fines of up to £500,000.

Every email signup form has an explicit, unchecked opt-in checkbox — pre-ticked boxes are illegal under PECR
Checkbox text is specific: "I agree to receive marketing emails from [Company Name] about [topic]" — not vague
Double opt-in confirmation email sent — legally safer and reduces spam complaints
Every marketing email contains a one-click unsubscribe link that works immediately
Unsubscribe requests actioned within 10 business days maximum
You do not email people who have not explicitly opted in — purchasing email lists is a GDPR and PECR violation
Your email platform (Mailchimp, Klaviyo, etc.) has a signed Data Processing Agreement (DPA) with you

Section 6 — Third-Party Tools & Data Processing Agreements

DPAs signed with every tool that processes personal data on your behalf — Google, Meta, HubSpot, Mailchimp, Stripe, Intercom, Hotjar
Google Analytics configured with IP anonymisation enabled — anonymize_ip: true in GA4 settings
If using GA4 with data sent to US servers: Standard Contractual Clauses (SCCs) documented — Google's DPA covers this automatically but you must have it on file
Facebook/Meta Pixel only fires after cookie consent is given — verify in a fresh incognito session
Any US-based cloud services used: data transfer mechanisms documented in your privacy policy

Section 7 — Security Baseline

HTTPS enforced across the entire website — no mixed content warnings
Two-factor authentication (2FA) enabled on CMS, hosting, email, and domain registrar accounts
Data breach response plan exists — UK GDPR requires ICO notification within 72 hours of discovering a breach affecting personal data
Regular automated backups with offsite storage
Access to personal data limited to staff who genuinely require it — principle of least privilege
Admin passwords are unique, 16+ characters, stored in a password manager

Section 8 — Ongoing Compliance

Privacy Policy reviewed and updated whenever you add a new tool or change how you process data
ICO registration renewed annually — calendar reminder set
Cookie audit run every 6 months — new scripts get added to websites constantly. Use Cookiebot's scanner to catch undeclared cookies.
Staff who handle customer data have received basic GDPR awareness — even a 30-minute internal briefing counts
Google Search Console and Analytics checked monthly for unexpected data collection warnings

Related Professional Services

Accelerate your project with our expert engineering squads in UK:

Web Development SEO Services UI/UX Design

Share this resource

Help your colleagues build better technical benchmarks.

The GDPR Compliance Checklist for UK Websites