Get started

GDPR Compliance Checklist for UK Small Businesses

checklist 7 min read Updated 2026-03-23

GDPR Compliance Checklist for UK Small Businesses

This is a testable checklist of 20 items covering the core GDPR compliance areas. Most can be ticked off within an hour each. Work through them in any order, though the priority indicators below suggest a sequencing if you’re starting from scratch.

Data Audit (Priority: High)

These form the foundation. Complete these before moving to policy and consent work.

  • List all data types you collect: Names, emails, IP addresses, payment data, customer behaviour, employee data. Write it down.

  • Map where data is stored: Email, CRM, spreadsheets, payment processor, analytics, backup systems. Know your systems.

  • Document why you collect each type: Lawful basis (consent, contract, legitimate interest). Be specific.

  • Identify all third-party services: Google Analytics, HubSpot, Mailchimp, Stripe, Intercom, etc. List them all.

  • Check retention periods: How long do you keep each data type before deleting? Set clear timescales.

Privacy Policy (Priority: High)

Your privacy policy is the core compliance document. It must be complete, accurate, and accessible.

  • Create or update your privacy policy: Check it against the 12-point requirements guide. Tick off each requirement.

  • Make it specific to your business: Don’t copy a template. Describe what your business actually does.

  • Link to it from every page: Footer link at minimum. Accessible from anywhere.

  • Include a date: When was it last updated? Update it annually at minimum.

  • Include ICO registration number: Once you’re registered (see below), add your registration number.

  • Reference DUAA complaint handling: Explain people can complain to the ICO under the DUAA framework.

Broken cookie consent is the most visible failure. Fix this.

  • Audit what fires before consent: Use your browser’s developer tools. Does Google Analytics fire on page load? Does any script load without your interaction?

  • Implement a consent mechanism: Use a CMP (Cookiebot, Osano, iubenda) or code a consent check. Must block cookies until consent.

  • Offer genuine choice: Separate toggles for Essential, Analytics, Marketing. Not just “Accept All.”

  • Test it works: Verify non-essential scripts don’t load until you’ve given consent. Check again after adding the mechanism.

  • Disclose cookies in privacy policy: List what cookies you use, why, and what third parties set them.

Third-Party Scripts (Priority: Medium)

Every embedded service is disclosed in your privacy policy and has a lawful basis.

  • List all embedded scripts: Google Analytics, Facebook Pixel, forms, chat tools, video embeds. Document them.

  • Ensure each is in privacy policy: Check your privacy policy mentions each service.

  • Review data processing agreements: Most major services have standard DPAs. Request them if you don’t have them.

  • Document lawful basis: Why are you sharing data with each service? (Legitimate interest for analytics, consent for marketing, contractual for payment.)

Data Subject Rights (Priority: Medium)

People need to know how to exercise their rights.

  • Document rights in privacy policy: Access, rectification, erasure, portability, objection. Explain each plainly.

  • Provide a contact for requests: Email address or form where people can ask to exercise rights.

  • Create a DSAR process: Who receives requests? How do you verify identity? Where do you find the data? Can you respond in 30 days? (See the DSAR guide for detail.)

Employee Data (Priority: Medium)

If you have employees, you process HR data.

  • Issue a staff privacy notice: Explain what employee data you hold and why.

  • Document retention periods: How long do you keep employment records? (Common: 6 years post-employment.)

  • Establish data processing agreements: With payroll provider, accountant, anyone who handles HR data.

Security & HTTPS (Priority: Medium)

Data protection requires basic security measures.

  • Use HTTPS: Check your website shows a padlock in the browser. Data in transit must be encrypted.

  • Review password policies: Are system passwords strong? Are they changed regularly?

  • Plan backups: Do you have backups of important data? Tested recovery?

Compliance Infrastructure (Priority: Low)

These formalize your compliance posture.

  • Register with the ICO: Check your obligation at ico.org.uk. Most SMEs with websites must register (costs £40–£60).

  • Keep a DSAR log: Simple spreadsheet: date received, person, status, response date, notes.

  • Review annually: Set a calendar reminder to review privacy policy and cookie consent yearly. Update as needed.

Priority Indicators

Start here (High priority — foundation work): Data Audit, Privacy Policy, Cookie Consent

Then do this (Medium priority — operational work): Third-Party Scripts, Data Subject Rights, Employee Data, Security

Last (Low priority — formalization): Compliance Infrastructure

If you complete the high-priority items, you’ve addressed the most visible gaps. Medium and low priority items strengthen your posture but aren’t blockers.

What Each Item Means

List all data types: Open a spreadsheet. Write down every piece of personal data you collect (names, emails, IP addresses, payments, etc.) and where it comes from.

Map storage: Where does this data actually live? Email? CRM? Spreadsheet? Cloud storage? Payment processor? Know your systems.

Document lawful basis: For each data type, why are you collecting it? “Consent for newsletter signup,” “Contract for payment processing,” “Legitimate interest for analytics.” Be specific.

Identify third-party services: Go through your website and external systems. Every service that processes personal data gets listed.

Check retention periods: For each data type, how long do you keep it? “Customer contact forms: 12 months,” “Employee records: 6 years,” “Analytics: 26 months” (Google’s default).

Create/update privacy policy: Check it against the 12-point standard in the privacy policy guide. Ensure every point is covered.

Make it specific: Don’t use generic language. Say what you actually do. “We use Google Analytics to understand which pages visitors use most” is better than “We use analytics to improve our service.”

Link from every page: Privacy policy accessible from footer or menu. Visitors should find it easily.

Date it: Write the date on the policy. Update every time you change it.

Reference DUAA: Add language explaining the DUAA complaint handling framework (updated February 2026).

Audit scripts: Use browser developer tools (F12 → Network tab). Reload your site. Watch what loads. Does Google Analytics fire? Facebook Pixel? Before you’ve clicked anything? If yes, fix it.

Implement consent: Use a Consent Management Platform or code a consent check that blocks non-essential scripts until the user agrees.

Offer choice: Don’t hide reject buttons. Don’t pre-tick acceptance. Let people reject marketing cookies without losing site access.

Test it: Verify scripts don’t load without consent. Test again after implementation.

Disclose cookies: Privacy policy mentions every cookie you use.

List scripts: Document all embedded third-party services.

Check privacy policies: Your privacy policy mentions each third-party service.

Get DPAs: Request Data Processing Agreements from service providers. They usually have standard forms.

Document basis: Understand why you’re sharing each third-party service’s data.

Document rights: Privacy policy explains access, rectification, erasure, portability, objection in plain English.

Provide contact: Email or form for exercising rights.

Create DSAR process: Can you find someone’s data within 30 days? Have you documented the process?

Staff privacy notice: If you have employees, they get a notice explaining what data you hold about them.

Retention policy: How long you keep employment records.

Data Processing Agreements: Formal agreements with anyone who processes employee data.

HTTPS: Website uses encrypted connections.

Passwords: Systems are password-protected; passwords are strong.

Backups: You have backups and can restore them.

ICO registration: Check if you must register and do so if required.

DSAR log: Spreadsheet tracking incoming requests and responses.

Annual review: Calendar reminder to review and update compliance annually.

Going Deeper

This checklist covers the surface. Once you’ve completed all 20 items, you have a defensible compliance baseline.

For deeper dives, see:

If you want an external audit of your current state, Bartram Web screens your website against these items and delivers a prioritised action plan showing exactly what’s missing.

Last updated: 2026-03-23

Free newsletter

Get insights like this fortnightly

UK compliance rules are changing fast. Our newsletter covers what changed, what's coming, and what it means for your business.

Subscribe →

Free, fortnightly, no spam. Unsubscribe any time.

Want to check your compliance?

Find out where you stand — and get a prioritised action plan.

Screen your website →

More from this hub

What UK Research Tells Us About SME Privacy Policies

What authoritative UK research reveals about SME privacy policy compliance. We've compiled findings from GDPR enforcement data, the ICO, and industry surveys to show you what's working and what's broken.

Read article →

How to Make Your Website GDPR Compliant — A Practical Guide for UK SMEs

8-step guide to make your website GDPR compliant. Privacy policy, cookies, trackers, data processing, DSAR handling—everything an SME needs to know.

Read article →

How to Handle a Data Subject Access Request (DSAR)

A DSAR is a formal request for all the personal data you hold about someone. You have 30 days to respond. Here's how to build a simple process that doesn't require expensive tools.

Read article →