If your website collects any personal data — even just a contact form — GDPR applies. UK businesses fall under UK GDPR, Irish businesses under EU GDPR, and the rules are nearly identical. Getting them wrong risks fines and, more practically, loss of customer trust. Here is the checklist we work through on every build.

Who needs to care?

Almost everyone. If you have a contact form, newsletter signup, analytics, an online store or user accounts, you are processing personal data. That includes sole traders and small businesses — GDPR is not just for large companies.

The GDPR website checklist

1. Lawful basis & consent

  • Only collect data you have a clear, lawful reason to collect.
  • Get explicit, opt-in consent for marketing — no pre-ticked boxes.
  • Keep a record of what each person consented to and when.

2. Cookie consent done properly

  • Block non-essential cookies (analytics, ads, pixels) until the user consents.
  • Offer a genuine "Reject all" option, not just "Accept".
  • Let users change their choice later.
Common mistake: firing Google Analytics or the Meta Pixel on page load before consent. A consent-mode setup fixes this.

3. Privacy by design

  • Collect the minimum data needed (data minimisation).
  • Don't ask for fields you don't use.
  • Set sensible data-retention periods and delete what you no longer need.

4. Hosting & data location

  • Host in the UK/EU where practical, or use providers with proper transfer safeguards.
  • Check where third-party tools store data.

5. Security

  • HTTPS everywhere (TLS).
  • Encrypt sensitive data and hash passwords.
  • Keep the framework and dependencies patched.

6. Data subject rights

  • Make it easy for users to request access to, or deletion of, their data.
  • Have a process to respond within the required timeframe.

7. Policies & processors

  • A clear, readable privacy policy that reflects what you actually do.
  • Data Processing Agreements (DPAs) with any third party that handles your data.
  • A simple breach-response plan.

How we handle this

Compliance is far cheaper to build in than to bolt on. We bake these into every project — see our GDPR-compliant web development approach, or our core web development services. We work with businesses across the UK and Ireland, so this is part of how we build by default.

Note: this article is practical guidance, not legal advice. For your specific obligations, consult a data-protection professional.