AlgoGrass is a compliance guidance tool โ€” not a law firm. Our outputs do not constitute legal advice. Always review with a qualified solicitor.

โ† Back to blog
GDPR15 Jan 2025 ยท 8 min read

The 2025 GDPR Compliance Checklist for UK SMEs

If you run a website that collects any personal data from UK or EU residents โ€” an email address, a name, an IP address โ€” you are subject to GDPR or UK GDPR. This checklist covers the 12 core things every SME must have in place.

1. Establish a lawful basis for every type of data processing

Under GDPR Article 6, you need a lawful basis for each processing activity. The six lawful bases are: consent, contract, legal obligation, vital interests, public task, and legitimate interests. Most SMEs rely on consent (for marketing) and contract (for order fulfilment).

2. Publish a compliant privacy policy

Your privacy policy must tell users: who you are, what data you collect, why you collect it, the lawful basis, who you share it with, how long you keep it, and their rights. A copy-pasted template is not enough โ€” it must reflect what your website actually does.

3. Get proper cookie consent

Under the UK ePrivacy Regulations, you must get consent before setting any non-essential cookies. This means: no pre-ticked boxes, clear accept and reject options, and no cookies loading before consent is given.

4. Secure your contact and lead capture forms

Every form that collects personal data needs a privacy notice explaining how the data will be used. A short sentence with a link to your privacy policy is sufficient at the point of collection.

5. Sign Data Processing Agreements with all third-party processors

If you use tools like Mailchimp, Google Analytics, HubSpot, or Stripe โ€” any service that processes personal data on your behalf โ€” you need a Data Processing Agreement (DPA) in place under GDPR Article 28.

6. Create a process for Data Subject Access Requests

Any individual can request a copy of all personal data you hold about them. You have one calendar month to respond. Document your process before requests arrive.

7. Establish a data breach response plan

If you suffer a personal data breach, you must notify the ICO within 72 hours if it is likely to result in a risk to individuals. Have a plan in place before a breach happens.

8. Only collect data you actually need

Data minimisation under GDPR Article 5 requires you to only collect personal data that is adequate, relevant, and limited to what is necessary. Audit your forms and remove fields you do not genuinely need.

9. Define and document data retention periods

You cannot keep personal data indefinitely. Specify in your privacy policy how long you keep each category of data. Common periods: customer data 6 years (tax), marketing lists until consent withdrawn, job applications 6-12 months.

10. Secure personal data appropriately

GDPR requires appropriate technical and organisational measures. At minimum: use HTTPS, use strong passwords and two-factor authentication, encrypt sensitive data at rest, and limit who can access personal data.

Check your compliance score in 60 seconds

AlgoGrass scans your website and checks it against these requirements automatically. Get your free compliance report now.

Scan my website free โ†’

This article is for guidance only and does not constitute legal advice. Consult a qualified solicitor for advice specific to your situation.