The 2025 GDPR Compliance Checklist for UK SMEs

If your website collects any personal data from UK or EU residents — an email address, a name, an IP address tracked by analytics — you are subject to UK GDPR. Non-compliance carries fines of up to £17.5 million or 4% of global turnover, and the ICO is increasingly active against SMEs. This checklist covers the 12 things every UK small business must have in place.

1Establish a lawful basis for every processing activity

Under UK GDPR Article 6, every processing activity must have a lawful basis. You cannot collect or use personal data just because it would be useful. The six bases are: consent, contract, legal obligation, vital interests, public task, and legitimate interests. Most SMEs use consent (for marketing), contract (for order fulfilment and customer accounts), and legitimate interests (for fraud prevention, security).

Document your lawful bases in a Records of Processing Activities (ROPA) — even a simple spreadsheet counts. This is a legal requirement under Article 30 for organisations with 250 or more employees, and best practice for all.

• ☐Identified and documented the lawful basis for each type of data processing
• ☐Ensured consent is freely given, specific, informed, and unambiguous where used as the basis
• ☐Created or updated Records of Processing Activities (ROPA)

2Publish a compliant privacy policy

A template privacy policy that doesn't reflect what your website actually does is not compliant. Your privacy notice must cover: who you are and contact details, what data you collect, the lawful basis for each use, who you share data with (including processors), how long you keep it, users' rights and how to exercise them, and your ICO registration number if applicable.

• ☐Privacy policy published and linked from website footer
• ☐Policy reflects actual data processing (not a generic template)
• ☐ICO registration number included (if required to register)
• ☐Policy updated when you change tools or processes

3Implement proper cookie consent

Under PECR (UK) and UK GDPR, you must get consent before setting non-essential cookies. This means no cookies loading before consent is given, no pre-ticked boxes, and a real reject option that is at least as easy to use as the accept button.

Google Analytics, Meta Pixel, Hotjar, and most advertising tags are non-essential and require consent. Essential cookies (session, security, load-balancing) do not require consent but must be disclosed.

• ☐Cookie banner present and blocks non-essential cookies before consent
• ☐Reject option is equally prominent to Accept
• ☐Users can change their preferences at any time
• ☐No cookies set from third-party scripts before consent is given

4Add privacy notices to all data collection forms

Every form that collects personal data — contact forms, newsletter sign-ups, checkout forms, booking forms — must include a concise privacy notice at the point of collection. This doesn't need to be lengthy: a single sentence explaining how the data will be used, with a link to your full privacy policy, is typically sufficient.

• ☐All contact and lead-capture forms include a privacy notice
• ☐Marketing opt-in is separate and uses positive, unticked consent
• ☐Checkout and account forms link to privacy policy

5Sign Data Processing Agreements with all processors

Any third-party service that processes personal data on your behalf is a data processor, and Article 28 UK GDPR requires a Data Processing Agreement (DPA) to be in place. This includes email marketing platforms, cloud hosting, CRM, analytics, customer support tools, payroll software, and accounting systems.

Most major providers have a DPA available — often called a Data Processing Addendum. Many can be accepted within your account settings or by ticking a box during signup. Ensure you have actually signed or accepted these, not just noted that they exist.

• ☐Listed all third-party tools that process personal data
• ☐Confirmed DPA is in place for each processor
• ☐Noted which tools are sub-processors of other tools (e.g. AWS used by your SaaS provider)

6Build a process for Data Subject Access Requests

Any individual can request a copy of all personal data you hold about them. Under UK GDPR, you must respond within one calendar month at no charge (unless requests are manifestly unfounded or excessive). You must also be able to respond to requests for erasure, rectification, portability, and restriction.

• ☐Designated a contact point for data subject requests (email address or form)
• ☐Documented how to locate all personal data across systems
• ☐Process in place to respond within 30 days
• ☐Privacy policy explains rights and how to exercise them

7Establish a data breach response procedure

If you suffer a personal data breach — a cyber attack, accidental disclosure, loss of a device containing personal data — you must notify the ICO within 72 hours if the breach is likely to result in a risk to individuals' rights and freedoms. If the risk is high, you must also notify affected individuals directly.

• ☐Defined what constitutes a reportable breach
• ☐Identified who is responsible for making the ICO notification
• ☐ICO reporting portal bookmarked: ico.org.uk/make-a-complaint
• ☐Staff trained to recognise and escalate potential breaches

8Apply data minimisation across all collection points

Article 5(1)(c) UK GDPR requires you to collect only data that is adequate, relevant, and limited to what is necessary for the stated purpose. Review every form on your website and ask: do you genuinely use each field?

• ☐Audited all forms and removed fields not genuinely needed
• ☐Not collecting date of birth, phone numbers, or address unless required for the service
• ☐Analytics configured to anonymise IP addresses where possible

9Set and document data retention periods

You cannot keep personal data indefinitely. Article 5(1)(e) requires data to be kept in a form that identifies individuals for no longer than necessary. Common retention periods for UK SMEs: customer transaction data — 6 years (HMRC requirement); marketing lists — until consent withdrawn; job applications — 6 to 12 months; CCTV footage — 28 to 31 days.

• ☐Retention periods documented in privacy policy and ROPA
• ☐Process in place to delete data when retention periods expire
• ☐Email lists cleaned periodically; unsubscribes processed promptly

10Implement appropriate technical security measures

Article 32 UK GDPR requires appropriate technical and organisational security measures relative to the risk. For most SMEs this means: HTTPS across the entire website (not just checkout), strong passwords and two-factor authentication on all systems holding personal data, encryption for sensitive data at rest, and limiting staff access to personal data on a need-to-know basis.

• ☐HTTPS enabled across entire website
• ☐2FA enabled on email, CRM, hosting, and any system containing personal data
• ☐Staff access to personal data is role-limited
• ☐Passwords are not reused across accounts; password manager in use

11Register with the ICO if required

Most UK businesses that process personal data are required to pay the ICO data protection fee and register. The fee is £40/year for most small businesses and £60/year for medium businesses. There are exemptions for certain processing activities (e.g. purely for staff administration) but these are narrow.

• ☐Checked whether ICO registration is required using ico.org.uk self-assessment
• ☐Registered and paying annual fee if required
• ☐ICO registration number included in privacy policy

12Review compliance at least annually

GDPR compliance is not a one-time task. Your website, tools, and data practices change over time, and your compliance documentation must keep pace. Set a calendar reminder to review your privacy policy, ROPA, processor list, and consent mechanisms at least once per year — and whenever you make significant changes to how you collect or use data.

• ☐Annual compliance review scheduled
• ☐Process to update policies when new tools are adopted
• ☐Staff briefed on data protection responsibilities